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ABSTRACT 


This thesis examines the vulnerability of the Advanced Encryption 
Standard (AES) to algebraic attacks. It will explore how strong the Rijndael 
algorithm must be in order to secure important federal information. 

There are several algebraic methods of attack that can be used to break a 
specific cipher, such as Buchburger’s and Faugere’s F,4 and Fs methods. The 
method to be used and evaluated in this thesis is the Multiple Right Hand Sides 
(MRHS) Linear Equations. MRHS is a new method that allows computations to 
be more efficient and the equations to be more compact in comparison with the 
previously referred methods. 

Because of the high complexity of the Rijndael algorithm, the purpose of 
this thesis is to investigate the results of an MRHS attack in a small-scale variant 
of the AES, since it is impossible to break the actual algorithm by using only the 
existent knowledge. Instead of the original ten rounds of AES algorithm, variants 
of up to four rounds were used. 

Simple examples of deciphering some ciphertexts are presented for 
different variants of the AES, and the new attack method of MRHS linear 
equations is compared with the other older methods. 

This method is more effective timewise than the other older methods, but, 


in some cases, some systems cannot be uniquely solved. 
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EXECUTIVE SUMMARY 


This thesis compares different algebraic methods for solving and breaking 
the Advanced Encryption Standard (AES) algorithm. However, emphasis is given 
to the Multiple Right Hand Side (MRHS) Linear Equation method, which is a new 
algebraic method used for attacking ciphers with specific algebraic structures. 
Such a cipher is the Rijndael algorithm, which was adopted by the U.S. 
government as the most efficient among others in order to secure federal 


information. 


In cryptography, it is considered that a cipher is broken when a method 
other than the brute force attack can reduce the complexity of the algorithm or 
completely decipher it. The “brute force attack” method is a very simple method 
in which we try one by one all the possible keys in order to break the cipher. In 
particular, due to the complexity of the AES algorithm, it becomes very difficult to 
break it with this method. Therefore, AES generated interest to find a specific 
algorithm to break this cipher. Some of the older algebraic methods, such as 
Buchberger’s algorithm and Faugere’s F4 and Fs algorithms, which are briefly 
presented in Chapter II, cannot break this cipher. This work considers a new 
algebraic method (MRHS) that can break small variants of the AES. Even the 
breaking of a small variant of the algorithm constitutes a success, since it opens 


a new horizon in the cryptanalysis field. 


A comparison with the older algebraic attack methods that are presented 
in [9] shows that the MRHS method is faster than the others. In Chapter II, there 
is a quick overview for some of these methods and a more detailed analysis of 


MRHS method with some algebraic examples. 


The overall concept of this thesis is to create a program that will break a 
small variant of the Rijndael algorithm. This work is based on the codes that 
Professors Havard Raddum and Igor Semaev (of University of Bergen, Norway) 


provided to us. These codes (in the “C” language) are the application of the 


xiii 


MRHS method to the AES algorithm. In this thesis, we created new programs, 
which construct the equation systems of the AES algorithm, that we tried to solve 
by using the codes of Professors Raddum and Semaev. Our computational 


experiments examined many cases never considered in previous work. 


This thesis demonstrates that, for a small variant of the AES, this method 
is very efficient (few high-level operations). In the third chapter, some examples 
are contained that show how this algorithm works. In some of the computational 
experiments, a totally new and significant result appeared for the cryptanalysis 
field; sometimes a small AES variant can have multiple decryption keys for a 
specific encryption key. This result is surprising and is not mentioned anywhere 


by Professors Raddum and Semaev. 


In particular, the first example shows a case in which the MRHS method 
finds multiple solutions to the system (it fails to solve the system—break the 
cipher) and in the second one, all the MRHS linear equations are transformed 
into ordinary linear equations whose total number is the number of variables in 


our system. 
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I. INTRODUCTION 


A. HISTORY 


In 1976, the United States government as an official Federal Information 
Processing Standard (FIPS) adopted the Data Encryption Standard (DES). 
Today, this standard is considered insecure, and the necessity for a new more 
secure and efficient standard has emerged. Therefore, in 1997, the National 
Institute of Standards and Technology published a call for the replacement of 
DES. Among the requirements this new system had to meet were: the new 
algorithm should be able to allow key sizes of 128, 192 and 256 bits; it should 
operate on blocks of 128 input bits, and it should work in a variety of different 
hardware. For example, 8-bit processors that could be used in smart cards and 


the 32-bit architecture commonly used in personal computers [1]. 


For the adoption of the new algorithm, five finalists were chosen: MARS 
(from IBM), RC6 (from RSA Laboratories), Rijndael (from Joan Daemen and 
Vincent Rijmen), Serpent (from Ross Anderson, Eli Biham and Lars Knudsen) 
and Twofish (from Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, 
Chris Hall and Niels Ferguson). Finally, in 2001, the Rijndael algorithm [2] was 
adopted as the Advanced Encryption Standard (AES) [3]. 


B. RELATED WORK 


This new algorithm was of great interest for the area of cryptanalysis. The 
cryptanalists started to seek ways to attack this algorithm, which might lead to 
breaking the algorithm (finding the key more efficiently than a brute-force attack). 
Since Rijndael’s algorithm is defined using algebraic operations in finite fields, 
cryptanalists investigated algebraic methods in order to break it. Therefore, they 
started to try the already known algebraic techniques for solving systems of 
polynomial equations. Some of them were the Buchburger’s algorithm and the F, 


and Fs algorithms [4] that are summarized in Chapter II with some simple 
1 


examples. Also, they tried to describe the new algorithm by using some different 
algebraic representations over the Galois finite fields [4] that are discussed in the 


same chapter. 


Recently, a new algebraic method was developed that used Multiple Right 
Hand Sides (MRHS) Linear Equations [5]. The main difference with the other 
algebraic methods is that the equations, which describe the algorithm, are not 
expressed anymore as multivariate polynomial equations, but instead they are 
presented as a system of linear equations, each having a set of multiple right 


hand sides. 


The Norwegian Professors Havard Raddum and Igor Semaev first 
developed this method. After a comparison between the Buchberger’s F, 
algorithms and the MRHS method, they concluded that the last one is much 


faster. 


In this thesis, after we borrowed the codes [6] from the Norwegian team, 
we managed to simulate the AES algorithm in the C language and to break 
small-scale variants of the Rijndael’s algorithm. After the application of the 
above-mentioned codes, many computational experiments were executed to 
explore how the method would work in many different cases. Though the 
previous work of Raddum and Semaev [5] only considered AES variants using 
the 8-bit field, we also explored variants based on 4-bit and 2-bit fields. From 
these experiments, we obtained some very surprising new results about the 
decryption (breaking) of variants of the Rijndael algorithm. In particular, one of 
the them is that there are some cases that a ciphertext, which was encrypted by 
a specific key, could be broken by using a definite number of different keys. This 


is explained in detail in Chapter Ill. 


C. INTRODUCTION TO AES 


Although the Rijndael algorithm was adopted as the official algorithm for 
AES, it is important to note that the algorithm, which is used in the AES, is a 
limited version of the Rijndael’s algorithm. In particular, Rijndael is a block cipher 
with both a variable block length and a variable key length [2]. While Rijndael’s 
algorithm can be used for block and key lengths in any multiple of 32 bits, with a 
minimum of 128 bits and a maximum of 256 bits, AES uses constant block length 
of 128 bits and key lengths of 128, 192 and 256 bits only. Also, this algorithm is 
applicable with a different number of rounds (N,), depending on the number of 
columns of the cipher key (Nx) and the number of columns of the rectangular 
array (Np) called state, which is actually the intermediate cipher result of the 
algorithm. In Table 1, the number of rounds are shown as a function of the block 
and key length. 











No 
Nx 4 5 6 7 8 
4 10 11 12 13 14 
5 11 11 12 13 14 
6 12 12 12 13 14 
rf ARS) 13 13 13 14 
8 14 14 14 14 14 














Table 1. | Number of rounds, N,, as a function of Np (block length/32) and Ny, (key 
length/32). 


Since, in this thesis, only the AES algorithm will be examined, it is good to 
analyze the subcases of the Rijndael’s algorithm that are used in the AES. For 


the encryption process, the input is the plaintext block and the initial key and the 


output is the ciphertext block. In the decryption process, the input is the 
ciphertext block and the output the plaintext block. 


With a 128-bit key length, the algorithm applies 10 rounds. (A 192-bit key 
length contains 12 rounds and a 256-bit length contains 14 rounds). In each 
round, there are four transformations (linear and non-linear) that are also called 
layers. Each round has also a round key, derived from the original key (input 
key). The round transformation and its steps generate intermediate data called 
states. A state can be considered as a rectangular array of bytes with four rows 
and a number of columns (Np) that depend on the size of the key length. Here, 
we consider that the key length is 128 bits, where the key is arranged in a 4x4 
matrix such that each element is a byte. The four transformations are the 
ByteSub transformation, the ShiftRow transformation, the MixColumn 
transformation and the AddRoundKey transformation. These four transformations 


compose a round. The four transformations are discussed next. 
D. STRUCTURE OF THE AES ALGORITHM 


The AES algorithm can be separated in two stages—the encryption and 
the decryption process. The algorithm for the encryption process includes four 
transformations, as it is shown below. The algorithm for the decryption process 
consists of the inverses of the above-mentioned transformations in the reverse 


order. 
1. Encryption Process 


The sequence of the four transformations mentioned above is the 
following: ByteSub, ShiftRow, MixColumn and AddRoundKey transformations. 


We next present these transformations in order. 
a. The ByteSub Transformation (BS) 


This is the only non-linear part of the algorithm and assures 
resistance to differential and linear cryptanalysis attacks [2]. This transformation 
4 


consists of an S-box, which is applied to each byte element of the state (16-byte 
block) independently and has three different steps: inversion, a Galois Field (GF) 


linear mapping, and S-Box constant ,as it is shown in Figure 1. 























Figure 1. The ByteSub step, the first stage in a round of AES (From [7)). 


(1) Inversion. In this operation of the S-box, the inverse is 
computed in the 8-bit Galois Field, GF(2°). The byte 00000000 has no inverse 
and 00000000 is used in place of its inverse. Assume that the first byte is 
XX gXsX4XzX, XX. The byte, which comes up from the inversion, will be 
V3N6NsN4N3¥2I, No» Which represents an eight element column vector, with the 
rightmost binary bit y, in the top position. This operation provides resistance 
against the linear and differential cryptanalysis attacks [1]. 

(2) GF—Linear Mapping. At this point, the y vector is 
multiplied by a constant matrix, and the column vector (0,1,1,0,0,0,1,1) is added, 
yielding a vector z,2,25242325%;Z): (Note: Galois addition is equivalent to bitwise 


XOR in any finite field of even size). 
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(3) | S-box Table. The byte z is the input to the S-box 
table. Consider an input byte abcdefgh. The S-box is a 16x16 matrix. We look for 


the entry at abcd row and efgh column (rows and columns are numbered from 0 


to 15). The intersection of these two entries, transformed into a binary number, is 


the output from the S-box. For example, if the figure 10101010 is the input byte, 


the first four bits, 1010, represent the decimal 10. Therefore, one enters at the 


eleventh row and eleventh column. The intersection is 172, as it is shown in 


Figure 2. This is converted into binary, which is 10101100. This is shown as ‘ac,’ 


which is hexadecimal for 10101100 in Table 2. That number is the output of the 


S-box. 
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Figure 2. S-Box in the encryption process (From [3]). 


In order to make clear the hexadecimal notation, Table 2 


shows the correspondence between decimal, binary and hexadecimal notations. 





















































Decimal Binary Hexadecimal 
0 0000 0 
1 0001 1 
2 0010 2 
3 0011 3 
4 0100 4 
5 0101 5 
6 0110 6 
7 0111 7 
8 1000 8 
9 1001 9 
10 1010 A 
11 1011 B 
12 1100 Cc 
13 1101 D 
14 1110 E 
15 1111 F 

















Table 2. Correspondence between decimal, binary and hexadecimal notations. 


b. The ShiftRows Transformation (SR) 


In this transformation, which is linear, the rows of each state are 
cyclically shifted to the left, with each row shifted a different amount, as it 
appears in Figure 3. This provides resistance against truncated differential and 
saturation attacks [2]. For example, row zero is shifted by Co bytes, row 1 is 
shifted by C, bytes, row 2 is shifted by Cz bytes in such a way that the byte at 


position j in row i moves to position (j-C;) mod Np. Particularly in AES C, =0, 
C,=1, C,=2 and C,=3. The output of this transformation is a matrix with the 


same dimensions as the input matrix. 





Figure 3. The ShiftRows step, the second stage in a round of AES (From 


[7]). 
c The MixColumns Transformation (MC) 


This transformation operates on each 4-byte column separately and 
is omitted in the last round. It is also a linear transformation, which has diffusion 
power. The columns of the state are considered as polynomials over GF(2°), 
which are multiplied by a fixed polynomial c(x) modulo (x*+1). This polynomial is: 


c(x) = 03-x° +01-x* +01-x+02 [2] 


and this multiplication can be presented as a matrix multiplication [2] (in 


hexadecimal notation), as it appears below: 


b,| [02 03 O1 O01] fa, 
b,| |O1 02 03 O1) fa, 

= x} 1 | [2] 
b,| |01 01 02 03] |a, 
b,| |03 O1 O01 02] Ja, 


Figure 4 depicts the MixColumns operation on the columns of the 


state. 











Figure 4. The MixColumns step, the third stage in a round of AES (From [7)). 


d. The AddRoundKey Transformation 


In this transformation, a key, consisting of 128 bits, which are 
arranged in a 4x4 byte matrix, is added to the output of the MixColumn 
transformation. A different round key is added to the state at the end of each 


round. 












aR Rol 
al Ral 
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Figure 5. The AddRoundKey step, the fourth stage in a round of AES (From 
[7]). 












This key is derived recursively from the original key as follows. We 


will see this procedure in five steps. 


Step1: Label the first four columns of the original key W(0), W(1), 
W(2), W(3). 


Since the whole algorithm consists of 10 rounds, 40 more columns 
are required, four for each round. Let i symbolizes the number of column in the 
different round keys as the columns are derived from the key schedule 
(4<i< 43). 


Step 2: If the number of the new column is a multiple of four, 


then... 
Step 3: It is W(i)=W(i-4)®7(W (i-1)), where T(W(i-1)) is the 
transformation of W (i-1) obtained as follows. Assume that the elements of the 


column W (i-1) are a,b,c,d. These are shifted cyclically to obtain b,c,d,a, and 


then, at this point, each of these bytes is substituted with its corresponding byte 
from the S-box of the ByteSub transformation, as it is explained above. So, four 
other bytes result, i.e., e,f,g,h. 


Step 4: Finally, the round constant 
r(i) = 00000010" *"" 


is computed in GF(2°). So, the T(W (i-1)) is the column vector (e@r(i), f.g.h). 


Step 5: If iis not a multiple of four, then 


W (i) =W(i-4)®W(i-1). 
2. Decryption Process 


The decryption process consists of the inverses of the four encryption 
steps: InvByteSub, InvShiftRows, InvMixColumns and invAddRoundkey. 
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a. The InvByteSub Transformation 


This transformation consists of the inverse S-box. In essence, in 
this step, the inverse transformation of the equation that was made in the 
ByteSub transformation is performed. For the linear mapping, one takes: 

















010100 1 Oj fa] [Oo] [2 
001010 0 1] ja} JO} | 
100 101 0 OJ Ja} |0O} | 
01001 01 Of Ja) .)o|_]4 
001001 0 1) Ja] ]O} 4, 
1001001 Of Ja} }1} |, 
OF 20908 1 O24) eae) | Oi) TB, 
[1 0 100 1 0 Oj fa} [1] [a] 


The inverse of the S-box appears in Figure 6: 


p7}etotaleie| a 


| 4{5/ 6 | 
30 | 36 38 
9b | 2f 87 
a6 | c2 3d 

















3 | c9 
Peb [bb | 3c | 83 | 53 | 























Figure 6. S-Box in the decryption process (From [3]). 
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b. The InvShiftRows Transformation 


In this transformation, the opposite shifting operation is applied. 
Therefore, the rows are shifted to the right instead of to the left, which takes 
place at the ShiftRows transformation. 


Cc. The InvMixColumns Transformation 


In this transformation, every column is multiplied by the inverse 


polynomial of c(x) (mod x*+1) which is: 
d(x) =0B-x°+0D-x* +09-x+0E 


The inverse matrix multiplication of the equation, which was used in the 


MixColumn transformation, is: 


b,| [OE OB 0D 09] fa, 
b,| [09 0£ OB oD| |a, 
b,| |oD 09 0£ oB| la 
b,| |0B OD 09 OE} la, 


This transformation is omitted in the last round. 
d. The InvAddRoundKey Transformation 


This transformation applies the keys that were used in the 


encryption process in the reverse order. 
E: THESIS OBJECTIVE 


A common method to break a cipher is called “the brute force attack.” In 
this method, one tries to break a cipher using one or more ciphertexts, where the 
corresponding plaintexts are known, by trying to decrypt them using all the 
possible keys for the cipher. When the decryption yields the known plaintext, we 
have found the key and the cipher is broken. (A variation on this method, used 


when the plaintexts are not known, stops when a meaninful plaintext is found). 
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However, as ciphers become more and more complicated, this method 
turned out to be useless. For example, in the case of the Rijndael’s algorithm, 
one has to try at most 2'* possible keys to break the cipher. This is impractical, 
since the time and the memory that are necessary for that exceed the limits of all 


existing workstations. 


In the last few decades, some cryptanalysis has been based on algebraic 
attacks. Algebraic attacks have the advantage that a cryptanalyst does not need 
to have many known plaintexts and ciphertexts in order to create an equation 
that can describe the cipher, an event that happens with the linear or differential 
cryptanalysis where one has to have many pairs of plaintexts and ciphertexts in 
order to be able to describe the cipher. 


In this thesis, a specific algebraic attack method—the Multiple Right Hand 
Side (MRHS) Linear Equations method—is examined and compared with other 
older methods (Buchburgers, Fz, Fs) [4]. In addition, a small-scale variant of the 
AES will be examined, since, as it will be explained later, the number of the 
variables for the whole AES algorithm is too big to be solved. 


Therefore, in Chapter II we will briefly summarize these older algebraic 
methods. While these methods can represent the AES, they cannot break the 
cipher. A more detailed analysis of the MRHS Linear Equations method will also 
be presented with a very simple example in order to show how this method 


works. 


In Chapter Ill, we will present the computational experiments, where we 
apply the MRHS approach to small variants of AES, including several that have 
never been attacked before by this method. We present the results of the 
application of this method with two representative examples. In the first example, 
the method fails to solve the algebraic system that is created with the MRHS 


Linear Equations, while in the second one we conclude to a solution. 
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ll. ALGEBRAIC EQUATIONS FOR AES 


A. INTRODUCTION 


There are many different ways to describe a cipher. However, the 
complexity of modern ciphers requires knowledge of their algebraic 
representation in order to attack and break them. In particular, one tries to 
describe a cipher by finding the algebraic properties that it has and, after that, by 
creating some homomorphisms or isomorphisms of this cipher. These new 
structures are very helpful, both to the implementers of a particular cipher who 
want to provide further protection to the cipher against side-channel attacks, and 
to the cryptanalysts who try to analyze it or even to break it. 


B. DIFFERENT REPRESENTATIONS OVER Fz AND Fase 


The meaning of F2 is the finite field with order (number of elements) 
p"=2', where p is always a prime number and n is a positive integer. 


Respectively, F2s¢ is the finite field with order p” = 2° = 256, which is also notated 
GF(2°). 


After the adoption of the modern algorithms, one of which is the Rijndael’s 
algorithm, a great interest was created for the wider application of computational 
algebra in cryptography. Therefore, a number of different algebraic 


representations were developed. 


In the case of AES, one can consider a number of different 
representations, which are called dual ciphers depending on the properties of 


their representation mappings. Some are described in the next pages. 
1. Isomorphic Representations 


Definition: Suppose A is a vector space over a field F with a 
multiplication operation Ax AA. If this multiplication operation is associative 
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and is a bilinear mapping on the vector space A, then A is an (associative) F - 
algebra, or, more simply, an algebra[4]. 


In these ciphers, the mappings of the state and key spaces are algebra 
isomorphisms of the AES state space algebra, where algebra is defined below. 
Therefore, these ciphers are isomorphic to the AES. 


In AES, each byte can be considered as an element of the finite field 
GF (2°) in terms of the following polynomial: 
m(x)=x°+x° +x +x+1 (Rijndael polynomial) 
which is irreducible in GF (2)[x]. This finite field can be constructed in many 
different ways from the chain of its subfields, as it appears below: 
GF (2) < GF (2?) cGF (2') GF (2°) 
In total, there are 30+(1-60)+(3-120)+(1-6-120)=1170 different 


isomorphic representations of the AES based on the different irreducible 


polynomials of the GF (2°) subfields as they appear in Table 3 [4]. 




















Subfield 
Degree GF (2) GF (2°) GF (2%) 
2 1 6 120 
4 3 60 - 
8 30 : : 














Table 3. | The number of irreducible polynomials over subfields of GF (2°). 


These particular representations are not of cryptanalytic interest. Rather, 


they are intended to improve the efficiency of hardware implementation. 
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2. Regular Representations 


The regular representation is the algebra homomorphism v:A— M,,(K) 


that maps ae A to the matrix corresponding to the linear transformation z+> az, 


where z is a vector over F of length n [4]. 
3. Logarithmic Representations 


Since an element of a finite field can be represented with logarithmic 
functions instead of vector spaces, an element of the AES state space (excluding 


zero bytes) can be described as an element of the set (Z,55)°. These ciphers are 


called log dual ciphers and there are 128 different primitive elements in F , giving 
128 such representations [4]. More details of how to specify a logarithmic 
representation of the AES are given in [8]. 


C. ALGEBRAIC SOLUTION METHODS 


In this subsection, some algebraic solution methods will be discussed. The 
first two will be based on the Grdbner basis algorithms, which are well-known 
methods for the solution of multivariate polynomial equations. These two 
algorithms have been unable to break the Rijndael algorithm, and at the end of 
this chapter there will be a comparison between these algorithms and the MRHS 
Linear Equation algorithm in terms of their complexities [4]. The last one, which is 
examined and analyzed in this thesis with more details, is a new approach that 
seems to have better results than the previous two based on the time that is 
needed in order to break the AES cipher. 


1. Buchberger’s Algorithm 


As mentioned above, Buchberger’s algorithm solves systems of 











multivariate polynomial equations. Consider a polynomial ring OE ae cme aa with 
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a monomial ordering. Suppose J <F|x,,x,,...,x,] is an ideal of this ring with a 





basis F ={f,,...,f,,+. The S-polynomial of any pair of the function of the basis is 


defined as: 


where Icm is the /east common multiple, LM is the Leading Monomial, and LT is 
the Leading Term. What one tries to achieve with this polynomial S, which 
belongs to the ideal 7, is to cancel the leading terms from any pair of the 
polynomials and, with the help of the next theorem, to compute a Grdbner basis 
of the ideal / [4]. 














Theorem: Let F[x,,x,,...,x, ] be a polynomial ring with a monomial ordering, and 











let I be an ideal of F[x,,x,,....x,]. A basis G={f,,....f,,} for the ideal I is a 





Grébner basis for I if and only if every S -polynomial S(f,, f,) of pairs of distinct 
polynomials f,,f,<G has remainder 0 upon division by G . 

Consider an example of how to solve a multivariate polynomial system by 
using this algorithm. 


Example: Consider a polynomial ring F[x,y] with multivariate polynomials 
(with two variables) over the complex numbers with the lexicographic order 


(y~<x). The ideal in this particular example is generated from the polynomials 
that appear below: 
fi=xy-land f,=x’-x 


Here, the Grodbner basis is computed by using the Buchburger’s algorithm. Set 


G={f,,f,} and compute the S(/,, f,) -polynomial. 








S(f- fr) = = a eer (xy? ~x) 


= y(x?y-1)—x( xy” —x) =x -y 
The leading term of the S(f,,f,) is x°. The leading term of f, and f, is x°y and 
xy’, respectively. So, S(f,, f,) cannot be reduced by these two polynomials. The 
G is expanded, so that it becomes G={f,, f,,f,} where f,=x°-y and S(f,,f) 


and S(f,,f,) are computed. 


S(f,,f;)=y? —1, which cannot be reduced by the set G={f,, f,, f,}. So the set 


G={f. ffs. f,| is expanded, where f, = y’—1. 


S(fi,f;)=-x° + y°. Its leading term is —x* which is divisible by the LT(f,). The 


division of S(f,,f,) by f, and then by f, results in: 
S(f,. f)=-v +y =-f,+(y -y)=-ft oy 


Now, S(f.f:)=f» S(f.f,)=0 and S(f,,f,)=f,—yf, are also computed. Thus, 
one concludes that all these S-polynomials can be reduced by G. So, 
G= ee eon cee is a Grobner basis of the ideal 7 . The reduced Grdbner basis is 
G={x’—y,y’-1}. Finally, the following system of equations is solved in order to 
find the solution. 


x -y=0 
y’-1=0 


The complete solution of this system is {(1,1),(-1.1),(i,-1).(-i.-1)}. 


2. F, and F; Algorithms 


These two algorithms have their names from their creator, Jean Charles 
Faugere, and compute again a Grobner basis. They can be viewed as an 
improved method of Buchburger’s algorithm. They are based on the same 


principles. In particular, the F4 algorithm instead of polynomial reduction uses 
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matrix reduction, while Fs; uses matrix reduction, but each of these generated 


matrices is of full rank. This method is illustrated in the next example [4]. 


Example: Consider the polynomial ring R[x,y,z], which includes 


polynomials with three variables in lexicographic order. We want to reduce the 


following polynomials: 
f, =3x'yz—Sxy and f, =5x°z?+3xy4+l 
by the set of polynomials {g,, g,}, where 
g,=xy-2z and g, =x°z-3yz. 
To reduce f,, with respect to {g,,g,}, the following reduction is performed: 
f, = 3x’ yz—Sxy 
=6x"2? —S5xy+ (3x?z) gi 
=—5xy +18 yz’ + (3x2) ‘ei +(6z) e; 
=18yz? -10z +(3x°z) g,+(6z)g,-(5) 8, 
So, f, is reduced with respect to {g,,g,} to 18yz*—10z. 
The same procedure for f, is 
fy =5x° 2" +3xy +1 
= 3xy +15 yz" +1+(5z) g, 
=15yz*+6z+1+(5z)g,+(3)g, 


Thus f, is reduced to 15yz*+6z+1 with respect to {ois Bat 
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The idea behind the F4 and Fs algorithms is to make these reductions as a 


matrix reduction. However, the reduction for both f, and f, requires reduction 


only with respect to (x’z)g,, g,, and (z) 8. Therefore, a matrix of coefficients is 


created. 


f 3 0 0 5 0 0 
cB 05 0-3 01 
Kae 120 0 0 0 
lg, 0 0 0 2 0 
ZB 0 1 3 0 0 0 


The reduction steps correspond to the row reduction of the first two rows, 


which represent the polynomials f,, f, using the last three rows, which represent 


the (x°z)g,,g,,(z)g, polynomials. So, as a result of the reduction, the following 
1 1 2: 


matrix is derived. 


Ee 0 0 18 0 -10 0 
a 00 15 0 6 1 
x28, 120 0 0 0 
lg, 00 01 2 0 
285 0 3 0 0 O 


The first two rows of the reduced matrix give the reduction of f,, f, with respect 


to g,,g,. Note, that this is the same result that was achieved with the 


Buchburger’s reduction. 
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3. 


Multiple Right Hand Sides (MRHS) Linear Equations Algorithm 


A different approach of algebraic attack not based on equations of 


polynomials will be examined. This presentation will utilize a special type of 


equation known as Multiple Right Hand Side Linear Equations. 


Definitions: 
1. 


A set of small-scale Variants of the AES denoted by SA(n,r,c,e) are 
defined, where 


nis the number of rounds, 
ris the number of rows in the rectangular arrangement of the input, 


c is the number of columns in the rectangular arrangement of the 
output, 


e is the number of bits in a “word.” 


Since we consider that e=8, the underlying finite field is GF(2*) and all the 


matrices and vectors are over GF(2). 


2. 


Let X be a set of Boolean variables represented as a column 
vector. An equation of the form 
AX =4,,45,...,4 
or 
S,:A4X =[L] 
is called an MRHS system of linear equations if A is a matrix of 
size kxn and rank k and a,,a,,...,a, are column vectors of length k. 


Ss 


A symbol S=(X,L) consists of an ordered set of variables X=X(S) 
and a list L=L(S) of Right Hand Sides [9] 


a. Agreeing Procedure 


One of the problems with applying algebraic attacks in a cipher is 


the difficulty of presenting practical examples, because the required time and 


memory requirements grow beyond the limitations of a typical workstation. 


Therefore, only small-scale variants of the different ciphers were performed. 
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After the completion of the rounds of AES, one can count the 
number of variables there are in the system in order to determine the algebraic 


equations that can describe the system. 


For example, the total number of variables for the AES, assuming 
8-bit words, is given by the following formula: 


8rc + 8nr +8(n—1)re 


Thus, for a complete AES the number of variables is 1600. This is large, if one 


wants to solve a system with so many non-linear polynomial equations. 


Figure 7 shows the bytes that are variables in a small-scale variant 
of the AES. 





Figure 7. SR(3,4,4,8) equations variables (From [9]). 


The variables can be separated in two different categories. The first 
one includes all the bits that are derived after each S-box, except the last one 
that is considered as known, since the ciphertext is considered as a known for 
this algorithm. The second one is the 16 bytes of the initial key and after that, 
only the first column of each expansion key, since the first column is derived with 
the contribution of the S-box, while the three others are dependent on the first 
column, as it is shown in Figure 7 and described in the AddRoundKey 


transformation in Chapter |. 
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Consider two symbols: 
S,:A,X =[L,] and $,:A,X =| L, | 
The matrices L; are of size kixs; These symbols are derived from 


the bits that go in and out of each S-box, which are expressed as linear 


combinations of the variables. 


These two symbols agree if, for any a, <L,, there exists an a, €L, 


such that the linear system 


is consistent, and, conversely, for any a,e¢L,, there exists an a,<L, such that 


the linear system is consistent. The steps for the application of this attack are as 


follows: 
e Define the matrices: 
A iE oO). 
A= As T= Ti, = L with t=k,+k, rows. 
J J 

e Choose a nonsingular transform matrix U of size txt such that the 
product UA is a matrix with zeros in its last r rows. If r=0, then the 
symbols agree. 

° If r>0, then compute the matrices UT; and UT,,. Let Pr, denotes 
the set of UT7,-column projections to the last r coordinates. If 
Pr, = Pr,, the symbols agree. 

e If Pr, #Pr,, then remove the columns from L, whose image is not 


found in Pr,{\Pr,, and, similarly, the columns from L, whose image 
is not found in Pr,{)Pr,,. One concludes with two new symbols 


whose equations are S;:4,X =[L,| and S;:A,X =|L, |. 


This procedure is repeated up to the point that all symbols agree. When the 
agreeing procedure is applied in a pair of symbols S; and S; and the procedure is 
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continued with other symbols in the system, for example, S,, it is possible that 


the S;and S, will disagree. This means that S; and S; may disagree again after S; 
and S, agree. So, the previous agreements have to be run through again and 


again. 
b. Gluing Procedure 


After the completion of the agreeing procedure, one may conclude 
that the system of equations does not have a solution. Therefore, a way to start 
the agreeing procedure again must be found. Here is where the gluing procedure 
comes into play. This method merges two symbols into one, bringing their joint 
information in the new symbol. The agreeing procedure is applied again with the 
new symbols, and is repeated until a unique solution is reached. The following 
example demonstrates how this works. Also, this step increases the complexity 
of the attack. 


Cc. Example 


1. Agreeing Procedure. We have two equations 


A,X =[L,] and A,X =[L,] in variables X = {x,,x,,x,,x,,x5}: 


J ea 

110 0 Oj x, 100 1 0 1 0 0 I)Ix, 010 0 

LO POO. Ola, =) 2 O° 0) 4. (O00 TO. Liat) 2 Oe 

10 0 1 Oj x, 0011 00 0 1 Iilx, 110 1 
Xs | Xs 














By following the previously described procedure, the matrix A is: 


0 0 


Se = = © DO O&O 
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aS Sn ee 





Op tee OO = 


A non-singular matrix U for the transformation of A is: 





100 0 0 0 
0 10 0 0 0 
0010 0 0 


00010 0) 





So, 





1 00 0 


101 0 0 


100 1 0 


0100 1) 
00000 
00000 





=2. 


Then, r 


Put now 





0 0 0 0 
00 0 0 
0 0 0 0 
0 1 0 0 








100 1 
0 1 0 0 


0 0 0 0 





and compute: 
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Looking at the last two rows of the above matrices, one defines: 
Pri2={(1,1),(1,0),(0,1)}, = Praa={(1,1),(0,0),(0, 1)} 
Pri2lPro1={(1,1),(0,1)} 


One can observe that the second and the fourth column of U7,, do not match 
with any column of UT,,. Therefore, these columns are removed. Similarly, the 


second and the third column of UT,, should be removed for the same reason. 


In addition, two new symbols result, 





x | x, | 
110 0 O|}x, 1 0 0 1 0 0 I} x, 0 0 
101 0 O}/x,|=)}0 O} , }0 0 1 O Ii x, ;=|1 0 
100 1 O|/x, 0 1 00 0 1 Iii x, 1 1 
bs Xs 














that now agree. 


2. Gluing Procedure. Let B be the sub-matrix of UA in its 
last tr nonzero rows. The gluing of the two previously agreed symbols is BX=/L], 
where each column of L is the sum of one column from UT,2 and one from the 
UT»; with the same projection in its last r coordinates, reduced to the first tr 


rows. 


For the above example, the gluing procedure yields: 











x) 
11000 1 0 
xX, 
10100 0 0 

xX. |= 
£200" he Oe al 
X4 
01001 0 0 
Xs 


This MRHS system of linear equations contains the information of the first two 


different symbols. 
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d. From MRHS to Linear Equations 


In order to derive the ordinary linear equations (unique right hand 
side) from the MRHS linear equations, the L matrix is triangulated with a row 
transformation. An upper-triangular matrix with zeros in its last r420 rows is 
sought, from where to take r;, homogeneous equations. There may also be non- 
homogeneous equations with ones in the whole row of L. In the above example, 


the triangulation of L results in the following symbol: 











xy 
11000 1 O 
Xy 
0 10 1 0 1 1 
x3 )= ; 
1010 0 0 O 
X4 
01001 0 O 
x5 


which is equivalent with the three following linear equations and the two initial 
MRHS linear equations [5]: 

X,+x,=1 

x, +x, =0 


Xy +x; =0 
4. Algorithms’ Complexities and Comparison 
This section compares the complexities of the previously described 
algorithms. 


The Buchberger’s algorithm time complexity is related to the total degree 
of all the intermediate polynomials that are generated by the algorithm. In 


essence, this algorithm can have double exponential complexity. In particular, 


considering the AES equation system over GF (2°), the complexity of 
Buchburger’s algorithm is, at worst, single exponential [4]. 


The Fy, and Fs algorithms are different approaches for the computation of a 
Grdbner basis. Since the Buchberger’s algorithm involves polynomial reductions, 
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which take place sequentially, while F, and Fs use matrix reductions, it seems 
logical that F, and Fs will be faster. The Fs algorithm is even better than the F, 


because it uses only full rank matrices. 


The complexity of the MRHS algorithm is very difficult to specify since the 
different parameters that can be used, such as the number of rounds, the 
number of rows and columns, etc, make it very complicated. However, this 
algorithm seems to be much better than the previous ones, since the required 


time to solve equations from the AES is much smaller [5]. 
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lll. COMPUTATIONAL EXPERIMENTS 


A. METHODOLOGY 


This chapter will explain how the MRHS method was applied by using 
different equations that were generated with the code shown in Appendix B. The 
parameters of this small-scale variant of AES were determined: the number of 
rounds (O<N,<10), the number of the rows and the columns in the rectangular 
arrangement of the input (O<N»<4), and the number of bits in each word (2, 4, 8). 
In addition, a random plaintext and an initial key were chosen, which have 
lengths that correspond to the number of columns and rows of the states and 
with the number of bits in the words as well. These texts are expressed in 
hexadecimal notation. After that, the MRHS Linear Equations method was used 


to try to solve this system. 


Initially, the agreeing procedure was implemented to see if some linear 
equations could be extracted just by applying this procedure. If the number of 
linear equations that resulted was equal to the number of variables in the system, 
then the procedure would be stopped since there would be a unique solution for 
the system. If the number of linear equations extracted from the agreeing 
procedure was less than the number of variables, the gluing procedure was 
performed, in which the maximum number of Right Hand Sides (RHS) in the 
glued equations is specified. Then another attempt was made to extract some 
linear equations. In order to have a unique solution, it is necessary to have a 


sum of linear equations equal to the number of variables. 
B. RESULTS 


Some simple examples of the procedure described above are shown 


below. 
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1. Example 1 


In this example, a system was created with two rounds, two rows and two 
columns, in the rectangular arrangement of the input and 2-bit words. The 
system has also a plaintext fa (in hexadecimal notation), which corresponds to 
11111010 in binary notation, and a key ea (in hexadecimal notation), which 
corresponds to 11101010 in binary notation. The system of equations appears 
below, starting with the number of bit variables and the number of MRHS 
equations. Each MRHS equation appears as the number of rows, the number of 
RHS, the rows of Aj and the columns of Lj. The first four symbols are from the key 
schedule, the next four from round 1, and the last four from round 2. 

24° 19 
4 4 

000000100000000000000000 

000000010000000000000000 

100000001000000000000000 


010000000100000000000000 
O11 


000 


0 
0110 
1 
1101 





4 4 
000010000000000000000000 
000001000000000000000000 
001000000010000000000000 
000100000001000000000000 
0010 
0111 
1001 
1100 

4 4 
000000100010000000000000 
000000010001000000000000 
000000001000100000000000 


000000000100010000000000 
32 


0000 
0101 
1011 
1110 
4 4 
000010001000000000000000 
000001000100000000000000 
000000000010001000000000 
000000000001000100000000 
0010 





0111 
1001 
1100 
4 4 
100000000000000000000000 
010000000000000000000000 
000000000000000010000000 
000000000000000001000000 
0010 





0111 
1001 
1100 
4 4 
000000100000000000000000 
000000010000000000000000 
000000000000000000100000 
000000000000000000010000 
0010 





0111 
1001 
1100 
4 4 
000010000000000000000000 
000001000000000000000000 
000000000000000000001000 
000000000000000000000100 
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0010 
0111 
1001 
1100 
4 4 
001000000000000000000000 
000100000000000000000000 
000000000000000000000010 
000000000000000000000001 
0010 





0111 
1001 
1100 
4 4 
000000001000000001110000 
000000000100000011100000 
000000000000100000000000 
000000000000010000000000 
0001 





0100 
1010 
1111 
4 4 
000000100010000000001101 
000000010001000000001011 
000000000000001000000000 
000000000000000100000000 
0010 





0111 
1001 
1100 
4 4 
000010001000000000000111 
000001000100000000001110 
000010001000100000000000 
000001000100010000000000 
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0010 
0111 
1001 
1100 
4 4 
000000000010000011010000 
000000000001000010110000 
000000100010001000000000 
000000010001000100000000 
0000 
0101 
1011 
1110 


now: neq = 12 ; nlink = 0 ; linbank = 0 


Let us explain the above shown result. The “neq” is the number of MRHS 
Linear Equations we have up to that point. The “linbank” (linear bank) is the 
notation, which shows the number of the ordinary linear equations that have 


extracted after the application of the agreeing or gluing procedures. 


The above system has at the beginning 24 variables combined in 12 
MRHS linear equations. Before the application of the agreeing procedure, we 
cannot extract any ordinary linear equation. That is why we see in the above 


result that we have 0 number of linear equation in our linear bank (linbank). 


This system of equations was used as input in the code “mrhs,” which is 
shown in Appendix B. After the agreeing procedure, we conclude with zero 
MRHS linear equations and 22 new ordinary linear equations, which appear 
































below. 
0 8 20 21 ee) 
0 oi 2 8 9 10 21 22 0 
va) 
2 10 20 = 0 
1 2 9 10 19 0 
0 8 18 = 0 
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now: neq = 0 ; nlink = 0 ; linbank = 22 
The numbers that appear in the above system of ordinary linear equations 


represent the number of the variable in our initial system, i.e., 0. 


The matrix form of the above ordinary linear equations is shown below: 


001100000000000000000001 
001000000000000000000010 
000011000000000000000100 
000010000000000000001000 
000000110000000000010000 
000000100000000000100000 
110000000000000001000000 
100000000000000010000000 
000011001101000100000000 
000010001010001000000000 
000000110111010000000000 
000000101010100000000000 





000111000001000000000000 





001010000010000000000000 
110000011100000000000000 
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100000101000000000000000 
111010110000000000000000 
01101100000000000000000 
1111000000000000000000 
10010000000000000000000 





1100000000000000000000 
10000000000000000000000 
1010101000101000000 





Co OF OF Oo 
; ; ; 





oe) 


The last row represents the Right Hand Side, which has only 22 elements, 
meaning that there are two free variables. The same thing can be easily 
observed from the reduced matrix of the coefficients of the variables. That 
particular system cannot have a unique solution. The possible solutions of this 
system appear below. 
010000000000000000000000 
101100000000000000000000 
000010000000000000000000 


000001000000000000000000 
100000100000000000000000 





001000010000000000000000 
000000001000000000000000 
101000000100000000000000 
001000000010000000000000 
101000000001000000000000 
101000000000100000000000 


Sr Oy 8: CR RS, AO Os “Or Os) Or" VO 


100000000000010000000000 





001000000000001000000000 
000000000000000100000000 0 
100000000000000010000000 
100000000000000001000000 0 
100000000000000000100000 
101000000000000000010000 0 
000000000000000000001000 
000000000000000000000100 0 





001000000000000000000010 
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100000000000000000000001 0 


free: 


solutions: 

2022002271272722722027?7?2?710?? 
000000001110001010101010 
100100101011111001011011 
001100011001100010111000 








101000111100010001001001 


Therefore, the variables Xo and X2 are free variables, as it is appeared in 
the code above. Additionally, we have a depiction of the four different solutions at 
the end, which means that this particular system has four different keys for one 
plaintext and ciphertext. In that example, where we have a small-scale variant of 
the AES with two rounds, two rows and two columns in the rectangular 
arrangement of the input and two-bit words, the algorithm cannot give a unique 


solution. 


This is a surprising result, as we mentioned in the introduction. We have a 
specific plaintext, which is encrypted by using a specific key. In our attempt to 
break the algorithm and to extract the initial plaintext from the ciphertext, we 
expect to recover the initial key. Instead, solving the system of the MRHS Linear 
Equations, we found four different keys that can decrypt that ciphertext to get the 
correct plaintext. 


One thing that one could suppose is that some other linear equations 
could be extracted in order to solve this problem, by applying a different plaintext 
with the same key. At first glance, it can be seen that the ordinary linear 
equations are different from the previous ones. However, if the matrix of the 
coefficients of the variables is reduced, we conclude exactly in the same set of 


linear equations as before. Therefore, such a system has a non-unique solution. 
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2. Example 2 


The second example is one with a unique solution. The parameters of this 
system are one round, two rows, and two columns in the rectangular 


arrangement of the input and four bit words. 


The system, which appears below, has 24 variables and six MRHS linear 
equations. Therefore, in order to end up with a unique solution, it is necessary to 
find 24 ordinary linear equations. 


24 6 

8 16 

000001000000000000000000 
000100000000000000000000 
001000000000000000000000 
000110000000000000000000 
010000000000000000000000 
11111010000000000000000 





11011100000000000000000 





11011100000000000000000 
0000000 
1000000 
0100000 
1110000 
0001000 
1001100 
0101100 
1101100 
0010110 
1000101 
0110101 
1100110 
0001101 
1011010 





0101101 





Or X@O"* VO® VO* i we LO Oe IO RE CE ee CE ER. en 2 








1101110 
8 16 
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10000000 





01000000 
0100000 
1110000 
0001000 
1001100 
0101010 
1101010 





1100001 
0001101 
1011011 
0101101 








1101001 
8 16 


000000000001 


000000000001 


000000000011 





10000000 
11000000 
00100000 


000000000100000000000000 
000000010000000000000000 
000000100000000000000000 
000000011000000000000000 
000001000000000000000000 
000000110001000000000000 
000000100010000000000000 
000010000000000000000000 


000000000000001000000000 


1000000000000 


000000000010000000000000 


1100000000000 


000000000100000000000000 





1000100000000 


000000000100110000000000 
000000001000000000000000 


1110000 
0001000 
1001100 


0 

1 

1 
10101010 
11101010 
00010101 
01000011 
1 


0110011 





1100011 
0001101 
1011001 
0101101 











0 
1 
0 
0 
01101011 
8 16 

100000000000000000000000 
100100000000000000000000 
101000000000000000000000 


100100000000000010000000 
110000000000000000000000 





001100000000000000010000 
001000000000000000100000 
011000000000000011100000 
0000000 
1000000 
0100000 
1110000 
0001000 
1001100 
0101010 
1101010 
1101111 
0111010 
1001010 
0011001 











1110100 





Bek” Koa * A? Ro EO 


0100011 
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01010100 
00010001 
8 16 





10000000 





01000000 
0100000 
1110000 
0001000 
1001100 
0101000 
1101000 


1000001 
0110001 
1100010 
0001101 
1011010 





1 

1 

0 

1 

1 

0 
00010110 
1 

1 

1 

0 

0 
00101101 
0 








1101010 
8 16 


000000000001 


000000000001 


000000000011 





000000000010000000000010 


000000000100000000000100 


000000000000000000000100 
000000010000000000010000 
000000100000000000100000 
000000010000000000011000 
000001000000000001000000 





000000110000000000110001 
000001100000000001101110 
000011100000000011101110 


000000000000010000000000 


1000000000001 


1100000000001 








1000100000011 


000000000110111000000110 
000000001110111000001110 
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10000000 
1000000 
0100000 
1110000 
0001000 
1001100 
0101000 
1101000 
0010110 
1000001 
0110001 
1100010 
0001101 
1011010 





0101101 





> (Or Oe I UR Re EP ORR SIR KO RY vt SO 





1101010 


now: neq = 6 ; nlink = 0 ; linbank = 0 


In this case, we tried to extract some ordinary linear equations directly 
from the initial system of the six MRHS Linear Equations, without any result. After 
the agreeing algorithm is applied, there is still no linear equation in the linear 
bank. As we said before, “linbank” (Linear bank) is the name of the place in the 
computer program where all the ordinary linear equations, that are extracted from 
the different procedures, are saved. This means that many times the agreeing 
procedure has no result, if it is applied alone in such a system of MRHS Linear 
Equations. Here is where the gluing procedure is performed. In this particular 
example, we observe that exactly 24 different ordinary linear equations are 


extracted, which are shown below. 


23 
22 


21 
20 


ds dD bd bd 
1 1 1 1 
oe) Oo Oo oe) 
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19 = 0 
17 + 18 =0 
17 SO 

16 = 0 

4+ 15=0 
14 = 0 

4+ 13=0 
12-20 
4+ At = 0 
16S: 0 

4+ 9=0 
4+ 8=0 
4+ 6 TS0 
4+ 6=0 

5 = 0 

3+ 4=0 
3.20 

2.20 

t10 

c= 5 


now: neq = 0 ; nlink = 0 ; linbank = 24 


As we mentioned before, we conclude in zero MRHS Linear Equations 
and 24 ordinary linear equations (“linbank=24”). 


In a matrix form, these are: 


24 0 

linear eqs (24): 
24 
000010000000000000000001 
000010000000000000000010 
000010000000000000000100 





000010000000000000001000 
000000000000000000010000 
000000000000000001100000 
000000000000000001000000 
000000000000000010000000 
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000010000000000100000000 
000000000000001000000000 
000010000000010000000000 
000000000000100000000000 
000010000001000000000000 
000000000010000000000000 
000010000100000000000000 
000010001000000000000000 
000010110000000000000000 
000010100000000000000000 
000001000000000000000000 





000110000000000000000000 
000100000000000000000000 
001000000000000000000000 
010000000000000000000000 
100000000000000000000000 





000000000000000000001000 


In addition, the unique solution of this system is: 


100000000000000000000000 0 
010000000000000000000000 O 
001000000000000000000000 O 
000100000000000000000000 
000010000000000000000000 
000001000000000000000000 0 
000000100000000000000000 
000000010000000000000000 O 
000000001000000000000000 
000000000100000000000000 
000000000010000000000000 0 
000000000001000000000000 
000000000000100000000000 O 
000000000000010000000000 
000000000000001000000000 0 





000000000000000100000000 





000000000000000010000000 0 
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000000000000000001000000 
000000000000000000100000 
000000000000000000010000 
000000000000000000001000 
000000000000000000000100 
000000000000000000000010 


PrP FP FPF Oo Oo oO 


000000000000000000000001 


free: 


solutions: 


000110101101010100001111 


There are no free variables. Therefore, it is a unique solution, as it 


appears above. 


From the two examples above, we saw how the algebraic attack method 
of MRHS Linear Equations works. The many experiments that were tested for 
this thesis were mostly successful for a small variant of the AES. The parameters 
of the system that were used were at most four rounds, with four rows and 
columns and 8-bit words instead of 10 rounds that the original AES algorithm 


uses. 
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IV. CONCLUSIONS AND RECOMMENDATIONS 


This work has shown that the new method of breaking the Rijndael 
algorithm with the algebraic representation of a system with Multiple Right Hand 
Sides linear equations is quite effective. It is comparatively effective because by 
using other algebraic methods, such as the Buchberger’s and the F4 — Fs 
algorithms, it was impossible to find a solution for some very simple systems. In 
particular, a small version of the AES with 5 rounds and 1 row and 1 column in 
the rectangular arrangement of the input, could not be solved with the older 
algebraic methods [5]. Moreover, a system with 4 rounds and 1 row and 1 
column in the rectangular arrangement of the input, took 20286.18 seconds to be 
solved by the standard algebraic methods [5]. The MRHS method solved this 
problem in only 0.032 seconds [5]. 


In Chapter Il, we saw that the new method seems to be much better than 
the other algebraic methods in terms of complexity. As mentioned before, due to 
the different parameters that this algorithm can have, (different number of 
rounds, rows and columns) it is very complicated to specify an exact complexity. 
According to the real parameters of the AES, our test cannot be considered very 
realistic, since the values of the parameters of the original AES are bigger. 
Nevertheless, by comparing the complexities in terms of the time consumed for a 
small-scale variant to be solved, we conclude that it is worthwhile to further 


develop and improve this method. 


The AES, as we explained in the beginning, is a standard in order to 
secure federal information. With MRHS Linear Equations, we concluded that we 
can break a small-scale variant of this system. We cannot say that the AES is at 
risk, but we can say for sure that this new method gives new perspectives in the 


field of cryptanalysis that may put the AES algorithm at risk. 


For example, one new detail in this thesis, is the application of our codes 


in many different experiments with different parameters. In particular, instead of 
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the 8-bit field that professors Havard Raddum and Igor Semaev used, we 
executed some experiments in the 2-bit and 4-bit fields, that is original. From 
that, we discovered a result very important in terms of cryptanalysis. There are 
some cases where (a small variant of) the Rijndael algorithm can have multiple 
solutions. We demonstrated that in the 2-bit field. However, it may be valid 
though more difficult of course, even in the 8-bit field, which might reduce the 
effectiveness of the algorithm. This means that we may have to be cautious 
when we choose the encryption keys, because multiple decryption keys would 
make it easier to break the algorithm and further to decrypt and reveal important 


federal information. 


In conclusion, our first goal was to create the code, which could solve a 
small-scale variant of the AES. Based on the codes of Professors Raddum and 
Semaev, we reached this point. In a few cases, a unique solution of a small-scale 
variant of the AES resulted. However, the small AES algorithm has some 
weaknesses, which consist of the fact that some systems cannot uniquely be 


solved, even if different plaintexts with the same initial key are applied. 


The complexity of this algorithm is the area that needs to be improved in 
future research. The reduction of the complexity by a significant factor could 
upgrade the MRHS algorithm to a very effective algebraic attack method against 
new very strong cryptographic algorithms. This reduction could be achieved by 
reducing either the number of the agreeings between the symbols or the 
numbers of gluings which adds more complexity in the whole algorithm. One way 
to achieve that could be the simultaneous agreeing of more than two symbols, 
which may require a smaller number of necessary gluings for the extraction of 
the ordinary linear equations. In that way, we could break an AES algorithm with 


parameters of greater value. 
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APPENDIX A 


(These codes are only intended for experiments with the MRHS method, 
and neither their author nor the author of this thesis takes any responsibility for 


their use) 


1. BASIS.h (by Havard Raddum and Igor Semaev) 
include <stdio.h> 

include <stdlib.h> 

Hinclude <math.h> 





typedef unsigned int u32; 
typedef unsigned char u8; 


#define MAXINT 2147483647 

#define EPSILON 0.001 

#define log2(x) ( 1.442695040888963407359924681 * log(x) ) // !! 
changed for bcc - DC 








int NVAR, NWORDS; 


u8g 
weight [256]={0,1,1,2,1,2,2,3,1,2,2,3,2,3,3,4,1,2,2,3,2,3,3,4,2,3,3,4,3, 
A, A, Spl p2y 2p 3, 2p 3p or4s 


2,3,3,4,3,4,4,5,2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,1,2,2,3,2,3,3,4,2 
p373 p47 37 474754 


27 37p37 47374747 D7 S14 Ay 36 47 9797 0427 3737 47 374 4 O73 4 47 54475724 07 3 
pags S741 Dy op Oy 


Ay Sp 37 Op dD, O70, 11,272, 372, 3737 427373) 4737 44 or2r srs, 40374747513 
paz; 4p Arora e 


2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,3,4,4,5,4,5,5,6,4,5,5, 6,5, 6,6,7,2 
73,3,4,3,4,4,5, 


3) 4;-4; 574, 57-5, 07 Sy Ay Ay Se 4,7 34-97 G7 4) Dy D7 OF D7 04-07 1p 3p 4p 4; OF 4, D4 Oy OF 4 
19,9,6,5,6,6,7, 
459407 97-07 Op Ty D9 Oy Oy: 1, 6, ly Tp Shy 


struct bitVector{ 
u32 *v; 
int length, wl; 
}; 


struct eqSymbol { 
int nlin, nrhs, nw, nn, egqnr, originalNRHS; 
u32 **A, **b, **coverID; 
u8 *RHSexists, delSinceExtract; 
struct linkSymbol **link; 
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}; 


struct linkSymbol { 
int ncells, *nCover[2], linknr; 
struct eqSymbol *nlist[2]; 
struct bitVector *cellID; 
u8 *cellExists; 


}; 














struct system{ 
int neq, nlink; 
struct eqSymbol *E, *linbank; 
struct linkSymbol *L; 

}; 





int ww(u32 *word, int n) { 
int i, Jj, w=0; 


for(i=0; i<n; ++1) { 
wt=weight [word[i]&0xff]; 
wt=weight [ (word[i]>>8) &Oxff]; 
wt=weight [ (word[i]>>16) &0xff]; 
wt=weight [word[i]>>24]; 





return w; 


} 


double averageNRHS (struct system *S) { 
int i, totnrhs=0; 


if (S->neq==0) 
return 0.0; 

for(i=0; i<S->neq; ++1) 
totnrhst+=S->E[i].nrhs; 





return (double) (totnrhs) / (double) (S->neq) ; 
} 


int smallestSetBit (u32 *M, int necw) { 
int j3=0, m=0; 
u32 w; 


while(j<ncew && !M[4j]){ 
jtt; 
mt+=32; 





if (j==ncw) 
return -1; 
w=M[j]; 
for(j=4; j>=0; -—-j){ 
Lf (! (w& ( (1<< (1<<j) 
mt+=(1<<j); 
w>>=(1<<j); 


} 


)-1)))¢ 
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return m; 


} 


int largestSetBit (u32 *M, int necw) { 
ine J], MF 
u32 w; 


j=ncw-1; 
m= (ncew<<5)-1; 
while(j>=0 && !M[j]){ 
J--3 
m-=32; 
} 
if (j==-1) 
return -1; 
w=M[j]1; 
for (j=4; j>=0; —-j){ 
if(! (wé (((1<<(1<<j))-1)*OxfffLffLF£)))//no set bit in upper remaning 
half 
m-=(1<<j); 
else 
w>>=(1<<j); 
} 
return m; 
} 
u8 vOGreaterThanVvl (struct bitVector v0, struct bitVector vl) { 
Line i} 


if (vO.length!=vl.length) printf ("(vO0GreaterThanV1l)Uncomparable bit- 
strings, v0.length=%d, vl.length=%d!\n", 
v0O.length,vl.length) ; 





i=v0.wl-1; 
while(i>=0 && !(v0O.v[i]*vl.v[i])) 


if(i>=0 && vO.v[i]>vl.v[i]) 
return 1; 

else 
return 0; 


} 





u8 vOEqualV1 (struct bitVector v0, struct bitVector v1) { 
ine iL; 





if (vO.length!=vl.length) printf ("(v0OEqualV1)Uncomparable bit-strings, 
v0.length=%d, vl.length=%d!\n", 
v0O.length,vl.length) ; 





i=v0.wl-1; 

while(i>=0 && !(v0O.v[i]*vl.v[i])) 
i--; 

Lt (<0) 
return 1; 

else 
return 0; 
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} 


void mergeSortBitVectors (struct bitVector 


int i, j, t, na, nb; 
struct bitVector tmp, 


if (nil==1) 
return; 
if (nil==2) { 


*ml, 


*v1lb; 


if (vOGreaterThanVl (vl1[0],v1l[1])){ 


tmp=vl[0]; 
vl[O]=v1[1]; 
vil[l]=tmp; 











vlb=vltna; 


mergeSortBitVectors (vl,na) ; 
mergeSortBitVectors (vlb,nb); 
ml=(struct bitVector *)malloc(nil*sizeof (struct bitVector)); 








t=i= j=0; 
while(i<na && j<nb) { 


if (vOGreaterThanVvl (vl[i],vlb[j])) 
































ml [t++]=vlb[j++]; 
else 
ml [t++]=vl[i4 . 
}//lists merged 
if (i<na) 
for(j=i; j<na; 3) 
ml[tt++]=v1l[j]; 


} 
else{ 
for(i=j; i<nb; ++i) 
ml[t++]=vlb[il]; 


}//remainder of unfinished list copied 











for(i=0; i<nil; ++i) 
vl[i]=ml[il; 
//copied back to vl 





} 
void printLinComb (u32 *1, 
Rie 


for(i=0; i<nvar; ++i) { 


int nvar) { 


Lf (L[i>>5]& (1<<(i&0xl1f))) 


printf ("3d + ",i); 
} 
printf ("\b\b\n"); 
} 





void printEquation(struct eqSymbol *eq) { 
/* Prints the equation to the screen, 





sides */ 
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kvl, int nil) { 


includes up to 16 righ-hand 


int i, j, maxnv=0, nv, nr, nwritten; 


if (eq->nrhs>16) 
nr=16; 
else 
nr=eq->nrhs; 
for(i=0; i<eq->nlin; ++i) { 
nv=ww (eq->A[i],NWORDS) ; 
if (nv>maxnv) 
maxnv=nv; 








oe 
Q, 


printf ("========= Equation 





for(i=0; i<eq->nlin; ++i) { 
nv=ww (eq->A[i],NWORDS) ; 
for(j=0; j<maxnv-nv; ++)) 
printf (" Wy 4 
for (4=0; 4<NVAR; ++3) { 
if (eq->A[li] [j>>5] & (1<<(j&0x1f) ) ) 
printt (™ Sade"). 3) 4 
} 
printf ("\b="); 
nwritten=0; 
for(j=0; jJ<eq->originalNRHS; ++)) { 
if (eq->RHSexists[j]) { 
if (eq->b[ 4] [i>>5] & (1<< (i&0x1f) ) ) 
printi( DT); 
else 
printeé(™ 0 |"); 
nwrittentt; 
if (nwritten==nr) 
j=eq->originalNRHS; 





} 
} 
printf ("\b\n\n"); 
} 


printf("%d right hand sides in total\n",eq->nrhs) ; 
printf("\nLinked to %d other equations\n",eq->nn) ; 
printf("RHS index - "); 


nwritten=0; 
for(i=0; i<eq->originalNRHS; ++i) { 
if (eq->RHSexists[i]) { 
printt(™ g2d ",3) 3 
nwrittentt; 
if (nwritten==nr) 
i1=eq->originalNRHS; 
} 
} 
printf ("\ncoverID"); 
for(i=0; i<eq->nn; ++i) { 
printf ("\nLink %2d Wo at) e 
nwritten=0; 
for(j=0; jJ<eq->originalNRHS; ++)) { 
if (eq->RHSexists[j]) { 
printf(" 62d ",eq->coverID[i][j]); 
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Neat 


req- 


nwrittentt+; 
if (nwritten==nr) 
j=eq->originalNRHS; 


} 
} 
printf ("\n Ne) 7 
} 








void printLink(struct linkSymbol *ls) { 
/* Prints the link to the screen */ 
ime: aly -c0y “el 








printf (" Link %d \n",1s- 
>linknr); 

printf ("Link with %d cells\n",1ls->ncells); 

if (ls->ncells<=32) { 















































printf ("\n W).¢ 

for (i=0; i<ls->ncells; i) 
praintt (" $20 ",1); 

printf ("\nExists "); 

for (i=0; i<ls->ncells; i) { 
if (ls—>cellExists[i]) 
prance (™ se °%)> 
else 
printf (" a 


} 


printf ("\nnCover0"); 
































for (i=0; i<ls->ncells; i) 
printf(" 62d ",1ls->nCover[0][1i]); 
printf ("\nnCoverl"); 
for (i=0; i<ls->ncells; i) 
printf(" 62d ",1ls->nCover[1][i]); 
} 
elsef{ 


c0O=ls-—>nCover[0] [0]; 
cl=ls-—>nCover[1] [0]; 
for(i=l; i<ls->ncells; ++i) { 
if (cO!=1ls->nCover[0][i] |] cl!=ls->nCover[1] [i]) { 
printf ("\nUnbalanced link\n"); 
i=ls->ncells; 
} 
} 











} 
printf("\n\nLinks together equations %d and %d of dimensions %d and 
san, 
ls->nlist[0]->eqnr,1s->nlist[1]->eqnr,1ls->nlist [0]->nlin, 1s-— 
>nlist[1]->nlin); 
printf (" \a"ye 
} 











void printLinEquation(struct eqSymbol *egq, int start, int stopp) { 
int i, j, nv, maxnv=0; // !! added init , maxnv; 





for(i=start; i<stopp; +ti) { 
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} 


nv=ww (eq->A[i],NWORDS) ; 
if (nv>maxnv) 
maxnv=nv; 


} 

















printf ("========= Linear Equation \n",eq->eqnr) ; 


for(i=start; i<stopp; ++i) { 

nv=ww (eq->A[i],NWORDS) ; 

for(j=0; j<maxnv-nv; ++)) 
prince My i 

for(j=0; 3<NVAR; ++)3) 
if (eq->A[i] [j>>5] & (1<<(J3&0x1f))) 
prantt (" 230 45-9)? 

} 

printf ("\b="); 

if (eq->b[0] [i>>5] & (1<<(i&0x1f) ) ) 
printf(" 1\n"); 

else 
printf (" O\n"); 





void deleteEquation(struct eqSymbol *eq) { 


} 








/* Frees all allocated memory in eq not associated to links. */ 
Lie a; 


for(i=0; i<eq->originalNRHS; ++i) { 
if (eq->RHSexists[i]) 
free (eq->b[i]); 
} 
free (eq->b); 
for(i=0; i<eq->nlin; ++i) 
free (eq->A[i]); 
free (eq->A) ; 
free (eq->RHSexists); 


void deleteSystem(struct system *S) { 


} 


Lie a; 


for(i=0; i<S->neq; ++i) 
deleteEquation(S->Eti); 
deleteEquation (S—->linbank) ; 











word Uxb(u32 **U, int nr, int nc, u32 *b, u32 *x){ 


/* computes U times b, where U has nr rows and nc columns. Stores 


result in x */ 
int i, Jj, new, nrw; 
u32 *w; 


ncew= (nct+31)>>5; 
nrw=(nrt+31)>>5; 
w=(u32 *)malloc(ncw*sizeof (u32)); 
for(i=0; i<nrw; ++i) 
x[i]=0; 
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for (i=0; i<nr; ++i) { 
for(j=0; j<ncew; ++)) 
w[j]=Ulil [3] &blj]; 
if (ww (w, ncw) &1) 
x[i>>5] |=(1<<(i&0x1Ff)); 
} 
free (w); 


} 


void UAX(u32 **U, u32 **A, u32 **nyA, 
/* Multiplies the matrices U and A, 
int i, j, k, *bpos, hw; 


bpos=(int *)malloc(nl*sizeof(int)); 
for (i=0; i<nl; ++i) 
hw=0; 
for(j=0; j<nl; ++34){ 
if (U[i] [j>>5] & (1<<(J&0x1f))) 
bpos [hwt++]=3; 

















int nl, int ncw) { 
stores result in nyA */ 


}//found positions where U[i] has 1-bits 
for(j=0; j<new; ++3) { 
for (k=0; k<hw; ++k) 
nyA[i] [j]*=Albpos[k]] [3]; 
} 
} 
} 
int rank(u32 **M, int nr, int nc) { 
/* Returns the rank of M */ 
int rank, i, j, k, sb, minsb, r, ncw; 
u32 **cM, *tmp; 


ncew=(nc+31)>>5; 
cM=(u32 **)malloc(nr*sizeof (u32)); 
for (i=0; i<nr; ++i) { 


cM[iJ=(u32 *)malloc(ncw*sizeof (u32)); 





for(j=0; j<ncew; ++)) 
cM[i] [j]=M[il [jl]; 
} 


for(i=0; i<nr; ++i) { 
minsb=nc; 
for(j=i; j<nr; ++35){ 


sb=smallestSetBit (cM[j],ncw); 
if (sb!=-1 && sb<minsb) 

r=j; 

minsb=sb; 


} 


] 
{ 


} 

if (minsb==nc) { 
for(j=0; Jj<nr; 
free(cM[j]); 
free (cM); 
return i; 


+43) 


} 
if(r>i){ 
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tmp=cM[i]; 
cM[i]=cM[r]; 
cM[r]=tmp; 
} 
for(j=itl; j<nr; ++)) 
if(cM[j] [minsb>>5]& 
for (k=0; k<ncw; ++k) 
cM[j] [k] *=cM[i] [k 


1<<(minsb&0x1f) )) { 





} 
} 
} 
for (i=0; i<nr; ++i) 
free (cM[i]); 
free (cM); 
return nr; 


} 


int computeU(struct eqSymbol *eq0, struct eqSymbol *eql, u32 **U) { 
/* Computes U such that UM is triangularized, where M is the 
concatenation of the matrices in eqO and eql. Returns the 
dimension of the shared subspaces of eqO and eql. */ 
int i, j, k, b, minb, r, enord, uw, rank, sumnl; 
u32 *tmp, enmask, **M; 








sumnl=eq0->nlintegl->nlin; 
M=(u32 **)malloc(sumnl*sizeof (u32 *)); 
for(i=0; i<sumnl; ++i) { 
M[iJ=(u32 *)malloc(NWORDS*sizeof (u32)); 
if (i<eqO->nlin) { 
for (j=0; j<NWORDS; ++3) 
M(i] [j]=eq0->Alil [4]; 

















} 
else{ 
for (j=0; j<NWORDS; ++3) 
[j]=eql->A[i-eqO0->nlin] [j]; 











rank=sumnl; 
uw=(sumn1+31)>>5; 








for(i=0; i<sumnl; ++i) { 
U[i]l=(u32 *)calloc (uw, sizeof (u32)); 
U[i] [i>>5] |=(1<<(i&0x1f)); 


} 
//U is identity-matrix 
for(i=0; i<sumnl; ++i) { 
minb=MAXINT; 
for(j=i; j<sumnl; ++)) 
b=smallestSetBit (M[J 
if (b!=-1 && b<minb) { 
r=ji 
minb=b; 
if (minb==i)//no need to search further 
j=sumnl; 








{ 
],NWORDS) ; 





} 
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if (minb==MAXINT) {//only all-zero rows remaining 


rank=i; 
i=sumnl; 

} 

else{ 
if (r>i){//need to swap rows 
tmp=M[i]; 
M[i]=M[r]; 
M[r]=tmp; 
tmp=U [i]; 
U[i]=U[r]; 
U[r]=tmp; 


} 
enmask=1<< (minb&0xlf 
enord=minb>>5; 
for(j=itl; j<sumnl; 
if (M[j] [enord] éenmas 
for (k=0; k<NWORDS; 











M[j] (k]*=M[il] [k]; 
for (k=0; k<uw; ++k 
U[3] [k]*=U[1i] [k]; 


} 

} 

for(i=0; i<sumnl; ++i) 
free (M[i]); 

free (M); 





return sumnl-rank; 


} 


u8 checkSolution(struct system *S, 
/* Returns 1 if val is a solution to S, 
Prints out the equation number of equations not satisfied. 


i 


k) { 
++k) 





) 


és 


is assigned to variable i.*/ 


Tie i, Ts 

u32 *propRHS; 

struct eqSymbol *eq; 
u8 bit, funnet, rv=1; 


++3){//making O's under leading 1 


u8 *val) { 


Oi a tae 2 


propRHS=(u32 *) calloc (NWORDS, sizeof (u32)); 











for (eq=S->E; eq<S->E+S-—>neq; 
for(i=0; i<eq->nlin; ++i) { 





bit=0; 


for(j=0; j<NVAR; ++3) { 
if (eq->A[i] [j>>5] & (1<< (4&0x1£) ) 


bit*=1; 
} 
6 (Dit) 


PropRHS [i>>5] |=1<<(i&Oxl1f); 


}//propRHS maa vaere bl 
for(i=0; i<eq->original 


gq) { 


lant eq->b 


LNRHS; 





if (eq->RHSexists[i]) 


++i) { 
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&& val (41) 


val[i] 


funnet=1; 
for(j=0; j<eq->nw; +4 
if (propRHS[j]*eq->b 
funnet=0; 





} 
if (funnet) 
1=eq->originalNRHS+1; 

} 
} 
if (i==eq->originalNRHS) {//eq ikke tilfredsstilt 

printf ("Equation %$d not satisfied, nlin=%d, nrhs=%d\n",eq- 

>eqnr,eq->nlin,egq->nrhs) ; 

//printEquation (eq) ; 

rv=0; 
} 
for(i=0; i<eq->nw; ++1) 

propRHS [i]=0; 














} 


return rv; 


} 


u8 deleteRHS (struct eqSymbol *eq, int RHSindex) { 
int i, minindex, ci; 
struct linkSymbol *1S; 


=1){ 


if (eq->RHSexists [RHSindex]= 
=0; 


eq->RHSexists [RHSindex] 
free (eq->b[RHSindex]); 
eq->nrhs--; 
if (eq->nrhs==0) 
return 0; 
for(i=0; i<eq->nn; ++i) { 
1S=eq->link[i]; 
ci=eq->coverID[i] [RHSindex]; 
if (1S->nlist [0]==eq) 
minindex=0; 
else 
minindex=1; 
1S->nCover [minindex] [ci]--; 
if (LS->nCover [minindex] [ci] <0) {printLink (1S) ;exit (0); } 
} 


eq->delSinceExtract=1; 











} 


return 1; 


} 





u8 trimEgquation(struct eqSymbol *eq) { 
/* Makes sure that A-matrix in eq has full rank, and removes 
RHS if possible. Returns 0 if eq can not be satisfied, returns 1 
if A-matrix had full rank, returns 2 if A-matrix has decreased. */ 
u32 **U, *x, *tmp, enmask; 
int i, j, k, b, minb, r, enord, uw, rank; 
u8 rv; // !! removed var: , delocc=0; 


rank=eq->nlin; 
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uw= (eq->nlint31)>>5; 

U=(u32 **)malloc(eq->nlin*sizeof (u32 *)); 
for(i=0; i<eq->nlin; ++i) { 

J=(u32 *)calloc (uw, sizeof (u32)); 

] [i>>5] |=(1<<(isOx1£)); 











U[i 
U[i 
} 
//U is identity-matrix 
for(i=0; i<eq->nlin; ++i) { 
minb=NVAR; 
for(j=i; j<eq->nlin; ++) { 
b=smallestSetBit (eq->A[j],NWORDS) ; 
if(b!=-1 && b<minb) { 
L=Ji 
minb=b; 


} 





} 

if (minb==NVAR) {//only all-zero rows remaining 
rank=i; 
i=eq->nlin; 

} 

else{ 
if (r>i){//need to swap rows 
tmp=eq->A[i]; 
eq->A[i]l=eq->A[r]; 
eq->A[r]=tmp; 





tmp=U [i]; 
U[i]=U[r]; 
U[r]=tmp; 


} 
enmask=1<< (minb&0x1f); 
enord=minb>>5; 
for (j=itl; j<eq->nlin; ++j3){//making 0's under leading 1 
if (eq->A[j] [enord] &enmask) { 
for(k=0; k<NWORDS; ++k) 
eq->A[j] [k]*=eq->A[i] [k]; 
for (k=0; k<uw; ++k) 
U[3] [k]*=U[1i] [k]; 
} 
} 
} 
}//U is computed 
x=(U32 *)malloc(eq->nw*sizeof (u32)); 
for(i=0; i<eq->originalNRHS; ++i) { 
if (eq->RHSexists[i]) { 
Uxb (U, eq->nlin, eq->nlin,eq->b[i],x);//x er ny RHS-vektor 
for(j=0; j<eq->nw; 5) 
eq->b[i] [j]=x[3]; 
for (j=rank; j<eq->nlin; ++)) { 
if (eq->b[i] [j>>5]& (1<<(j&0x1f))){//inneholder 1-bit i O-rad 
omraade 
rv=deleteRHS (eq,i) ; 
// ‘! removed var: delocc=1; 
if (rv==0) 
return 0; 
j=eq->nlin; 
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} 
} 
} 
}//oppdatert alle RHS, og sikret at de er gyldige 
if (eq->nlin==rank) 
return 1; 
else{ 
eq->nlin=rank; 
eq->nw= (eq->nlin+31)>>5; 
return 2; 








} 


void depositLinComb(struct eqSymbol *eq, u32 *lc, u8 rhv) { 

/* Adds lc=rhv to eq (the linear bank). The bank must be 
antitriangular, and will remain so after addition of lc=rhv. 
le must not be in the span of eq->A. */ 

int i, j, vnr, insertrow=-1, libit; 

u32 *clc; 





clc=(u32 *)malloc (NWORDS*sizeof (u32)); 
for (i=0; i<NWORDS; ++i) 
cle[i]J=lc[i]; 
//clc er kopi og kan herjes med 
if (eq->nlin==0) 
insertrow=0; 
i=0; 
while (insertrow==-1) { 
vnr=largestSetBit (clc,NWORDS) ; 
while (i<eq->nlin && vnr<largestSetBit (eq->A[i],NWORDS) ) 
itt; 
if (i<eq->nlin) { 
libit=largestSetBit (eq->A[i],NWORDS) ; 
if (vnr>libit) 
insertrow=i; 
else //vnr==1ibit 
for (j=0; j<NWORDS; ++) 
cle[j]*=eq->Ali] [3]; 
if (eq->b[0] [i>>5] & (1<<(i&0x1f) ) ) 
rhy*=13 
itt; 
} 
} 
else//i==eq->nlin 
insertrow=eq->nlin; 














} 
for (i=eq->nlin; i>insertrow; --—i) { 
egq->A[i] q->A[i-1]; 
L£(((eq->b[0] [i>>5]>>(1&0x1f) ) * (eq->b[0] [ (1-1) >>5] >> ((1- 
1) &Ox1lf)))&1) 
eq->b[0] [i>>5] *=(1<< (i8&0x1f)); 
}//ryddet plass til ny linear ligning 
eq->A[insertrow]=clc; 
if ((u8) ((eq->b[0] [insertrow>>5]>>(insertrow&0x1f))&1)*rhv)//feil bit 
i RHS 
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eq->b[0] [insertrow>>5] *=(1<<(insertrow&0x1f)); 
eq->nlint+t+; 


} 


u8 substituteLinComb(struct system *S, u32 *lc, u32 rhv) { 

/* Largest variable in lc is eliminated using the equation lc = rhv. 
Returns 0 if system becomes inconsistent, 1 if no A-matrices were 
reduced, and 2 if some A-matrices did not have full rank after 
substitution. */ 

int i, j, enord, maxvar, rhsshift, rhsord, sistshift, sisteord; 

u32 enmask; 

struct egqSymbol *eq; 

u8 egendret, lokrv, rv=1; 


maxvar=largestSetBit (lc,NWORDS) ; 
enmask=(1<< (maxvar&0x1f)); 
enord=maxvar>>5; 
for (eq=S->E; eq<S->E+S->neqg; ++eq) { 
egendret=0; 
for(i=0; i<eq->nlin; ++i) { 
if (eq->A[i] [enord] &enmask) {//rekke i i eq har variabelen som skal 
erstattes 
eqendret=1; 
for (j=0; 3<NWORDS; ++) 
eq->A[i] [j]*=lcel3]; 
if (rhv){//maa endre alle rhs 
rhsshift=1<<(i&Oxlf); 
rhsord=i>>5; 
for(j=0; j<eq->originalNRHS; ++)) { 
if (eq->RHSexists[j]) 
eq->b[j] [rhsord]*=rhsshift; 














} 
} 

} 

if (egendret) { 
lokrv=trimEquation (eq) ; 
if (lokrv==0) { 
printf ("trimeq returnerer 0 for ligning %d\n",eq->eqnr) ; 
return 0; 
} 
if (lokrv==2) 
rv=2; 


} 





} 
depositLinComb (S->linbank,1c,rhv) ; 
//substituted equation added to the bank 


return rv; 


} 


void trimSystem(struct system *S) { 
/* Removes equations with no information in them. */ 
struct eqSymbol *eq; 
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for (eq=S->E; eq<S->E+S-—>neq; +eq) { 





if (eq->nlin<32 && (1<<eq->nlin)==eq->nrhs) {//ligning uten 


informasjon 
if (eq<S->E+S—>neq-1) 
*eg=S->E[S->neq-1]; 
eq--; 
S->neq--; 

















} 


void initLinBank (struct eqSymbol *leq) { 











leq->b=(u32 **)malloc(sizeof(u32 *)); 





leq->nlin=0; 

leq->nrhs=1; 

leq->nw=0; 

leq->nn=0; 

leq->eqnr=-1; 

leq->originalNRHS=1; 

leq->RHSexists=(u8 *)malloc(sizeof (u8)); 
leq->RHSexists[0]=1; 





} 


u8 solved(struct system *S) { 
tht. 1} 


if (S->neq==0) 
return 1; 
if (S->neq==1 && S->E[0].nrhs>=1) 
return 1; 
for(i=0; i<S->neq; ++1) { 
if (S->E[i].nrhs!=1) 
return 0; 








} 


return 1; 


} 


void solveLinSystem(struct eqSymbol *e) { 
int i, j, k, sb, minb, maxb, r; 
u32 *tmp; 
u8 ibit, rbit; 


for (i=0; i<e->nlin; ++i) { 

minb=NVAR; 

for(j=i; j<e->nlin; ++)j){ 
sb=smallestSetBit (e->A[ j],NWORDS) ; 
if(sb>=0 && sb<minb) { 
minb=sb; 
r=ji 
} 
if (minb==1) 
j=e->nlin; 
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leq->A=(u32 **)malloc(2*NVAR*sizeof (u32 *)); 


leq->b[0]=(u32 *)calloc(2*NWORDS, sizeof (u32)); 


if (e->b[0] [i>>5] & (1<<(i1&0x1f£))) 
ibit=1; 
else 
ibit=0; 
if(r!=i){//trenger a bytte om pa rader 
tmp=e->A[i]; 
e->A[i]=e->A[r]; 
e->A[r]=tmp; 
if (e->b[0] [r>>5]& (1<<(r&0x1Ff))) 
rbit=1; 
else 
rbit=0; 
if (ibit*rbit) { 
e->b[0] [i>>5]%*= 
iTbit*=1; 
e->b[0] [r>>5] *=(1<<(ré&0xl1f)); 
} 
} 
for(j=itl; j<e->nlin; ++ 3){//lager 0 under ledende l'er 
if (e->A[j] [minb>>5] & (1<< (minbé0x1f))) { 
for (k=minb>>5; k<NWORDS; ++k) 
e->A[Jj] [k]*=e->A[i] [k]; 
if (ibit) 
e->b [0] [3>>5] *=(1<< (j& (Ox1£))); 


(1<<(i&0xl1f)); 


} 
} 


}//triangularisert, starter tilbakesubstitusjon 








for (i=e->nlin-1; i>0O; --i){ 
maxb=largestSetBit (e->A[i],NWORDS) ; 
if (e->b[0] [i>>5]& (1<<(i1&0x1f£) )) 
ibit=1; 
else 
ibit=0; 
for(j=i-1l; j>=0; 3) { 
if (e->A[j] [maxb>>5] & (1<< (maxbé0x1f))) { 
for(k=0; k<NWORDS; ++k) 
e->A[Jj] [k] *=e->A[i] [k]; 
if (ibit) 
e->b[0] [7>>5] *=(1<<(4&0x1f)); 
} 














} 


void copySystem(struct system *S, struct system *kopiS) { 
Awe ap yoke 


kopiS—>neq=S-—>neq; 
kopiS-—>E=(struct eqSymbol *)malloc(kopiS—>neqg*sizeof (struct 
eqsymbol) ); 
kopiS-—>linbank=(struct eqSymbol *)malloc(sizeof (struct eqSymbol) ); 
initLinBank (kopiS-—>linbank) ; 
for(i=0; i<S->linbank->nlin; ++i) { 
for (j=0; j<NWORDS; ++7) 
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kopiS-—>linbank->A[i] [j]=S->linbank->A[i] [3]; 
} 
for (i=0; i<S->linbank->nw; ++i) 
kopiS-—>linbank->b[0] [i]=S->linbank->b[0] [i]; 
kopiS—>linbank->nlin=S-—>linbank->nlin; 
kopiS-—>linbank-—>nw=S->linbank->nw; 
for(i=0; i<S->neq; ++1) 
kopis-—>l -nlin=S->E[i].nlin; 
kopis-—>] .-nrhs=S->E[i].nrhs; 
kopis-—>l .originalNRHS=S->E[i].originalNRHS; 
kopis-—>] .nw=S->E[i].nw; 
kopiS-—>1 -nn=0; 
kopis-—>l -A=(u32 **)malloc(kopiS-—>E[i].nlin*sizeof(u32 *)); 
for (j=0; j<kopiS->E[i].nlin; ++])) 
kopiS->E[i] .A[j]=(u32 *)malloc (NWORDS*sizeof (u32)); 
for (k=0; k<NWORDS; ++k) 
kopiS->E[i] .A[j] [kK]=S->E[1i] .A[j] [kl]; 





— 
fate 





b- 

















Cel Cl Bah De) eh 
Ce ee ee Be 


Heo Be BS 





























} 



































kopiS->E[i] .b=(u32 **)malloc(kopiS->E[i].nrhs*sizeof(u32 *)); 
for(j=0; j<kopiS->E[i].nrhs; 5) 
kopiS->E[i].b[j]=(u32 *)malloc(kopiS-—>E[i].nw*sizeof (u32)); 
for (k=0; k<kopiS-—->E[i] .nw; k) 
kopiS->E[i].b[ 3] [k]=S->E[i] .b[j] [k]; 


} 
kopiS->E[i].RHSexists=(u8 *)malloc(kopis— 
>E[i] .originalNRHS*sizeof (u8)); 
for(j=0; j3<kopiS->E[i].originalNRHS; ++)) 
kopiS->E[i].RHSexists[j]=S->E[i].RHSexists[j]; 
kopiS->E[i].delSinceExtract=S->E[i].delSinceExtract; 


} 


















































} 


double log2sum(double *T, int n){ 

/* computes log2(\sum_{i=0}*{n-1} (2*{T[i]})). Works also when the 
sum is greater than 2%{32}. */ 

double suma, sumb; 

int na; 


if (n==1) 
return TO]; 
na=n/2; 
suma=log2sum(T,na) ; 
sumb=log2sum(T+na,n-na) ; 
if (suma<sumb) 
if ((sumb-28.0)>suma)//only sumb contributes 
return sumb; 
else//compute exactly 
return sumat+log2 (pow(2,sumb-suma)+1.0); 








} 
else{//suma largest 
if ((suma-28.0)>sumb)//only suma contributes 
return suma; 
else//compute exactly 
return sumb+log2 (pow(2,suma-sumb) +1.0); 
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} 


u8 evaluate (u32 *lc, u8 *v) { 

/* evaluates the linear combination lc with the variables in v and 
returns its sum */ 

rhe a} 

u8 sum=0; 


for (i=0; i<NVAR; ++i) { 
if (lce[i>>5]&(1<<(i&0x1lf)) && v[i]) 
sum*=1; 


return sum; 


2. AGREEING.h (by Havard Raddum and Igor Semaev) 


u8 checkLink (struct linkSymbol *1S) { 
/*Checks if the two equations linked in this link agree. Returns 0 
if equations are inconsistent, 
1 if equations agree and 2 if equations disagreed */ 
u8 rv=1, lokrv; 
int i, j, eqdel, linkIndex, eqOni, eqlni; 
struct eqSymbol *eq, *eq0, *eql; 














if ((log2 (1S->ncells) <(log2(1S->nlist[0]->nrhs)/2)) && 
(log2 (1S->ncells) <(log2 (1S->nlist[1]->nrhs)/2))){//do not expect 
deletions 

for (i=0; i<1S->ncells; ++i) { 


















































if (1S->cellExists[i]) { 

eqdel=2; 

if (1S->nCover[0] [i]==0 && 1S->nCover[1] [i]>0) 
eqdel=1; 

if (1S->nCover[0] [i]>0 && 1S->nCover[1] [i]==0) 
eqdel=0; 

if (eqdel<2) { 
rv=2; 





for(j=0; j<eq->nn; +4 
if (eq->link[j]==1S) 
linkIndex=j; 
j=eq->nnt1; 
} 
} 
if (j==eq->nn) { 
printf("Fant ikke link!? eqdel=%d, i=%d\n",eqdel,i); 
printf ("Linkadresse: %x, eq.naboadresse: %x\n",1S,eq- 
>link[0]); 
} 
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while (1S->nCover [eqdel] [i] >0) { 





while (j<eq->originalNRHS && eq- 
>coverID[linkIndex] [j]!=(unsigned)i) // !! added cast 
+7 





if (j==eq->originalNRHS) printf ("fant ikke RHS som dekker celle 
$x, 1S->nCover=%d\n",i,1S—->nCover[eqdel] [i]); 
lokrv=deleteRHS (eq, j); 
if (lokrv==0) 
return 0; 
+43; 








} 


1S->cellExists[i]=0; 








} 
} 
else{//expects deletions, goes through RHS's of linked equations 

eq0=1S->nlist[0]; 

eql=1S->nlist[1]; 




















for(i=0; i<eqO->nn; ++i) { 
if (eqO->link[i]==1S) { 
eqOni=i; 


i=eq0->nnt1; 
} 
} 
if (i==eq0->nn) printf ("(checkLink) Fant ikke link fra nabo 0\n"); 
for(i=0; i<eql->nn; ++i) { 
if (eql->link[i]==1S) { 
eqini=i; 
i=eql->nnt1; 
} 
} 
if (i==eql->nn) printf ("(checkLink) Fant ikke link fra nabo 1\n"); 
for(i=0; i<eql->originalNRHS; ++i) { 
if (eql->RHSexists[i]) { 
if (1S->nCover[1] [eql->coverID[eqini] [i] ]==0) 
printf("RHS @d i eql dekker en celle som link sier ikke blir 
dekket av eql\n",i); 




















if (ls-SnCover [0] leql=scoveriInleqini] [1] 1==0) { 
lokrv=deleteRHS (eql,i); 
if (lokrv==0) 
return 0; 
rv=2; 


} 
} 
} 
for(i=0; i<eqO->originalNRHS; ++i) { 
if (eqO0->RHSexists[i]) { 
if (1S->nCover [0] [eqO->coverID[eq0ni] [i] ]==0) 
printf("RHS Sd i eqO dekker en celle som link sier ikke blir 
dekket av eq0O\n",i); 














if (1S->nCover [1] [eq0->coverID[eq0ni] [i] ]==0) { 
lokrv=deleteRHS (eq0,i); 
if (lokrv==0) 


return 0; 
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return rv; 


} 


u8 agreeSystem(struct system *S) { 
/* Agrees the whole system. Returns 0 if system is inconsistent, 


1 if system already agreed, or 2 if deletions of RHS's have 
occurred */ 


Ae i 
u8 rv=1, lokrv, changed=1; 
struct linkSymbol *lsym; 


while (changed) { 
changed=0; 
for(lsym=S->L; lsym<S->L+S->nlink; ++lsym) { 
lokrv=checkLink (lsym) ; 





if (lokrv==2) 
changed=1; 
if (lokrv==0) { 





printf ("inconsistency in link %d\n",i); 
return 0; 


} 


return rv; 


3. GLUING.h (by Havard Raddum and Igor Semaev) 


/* Methods inmplementing gluing of equations, before linking */ 








u8 maskedRHSlEqualRHS2(u32 *rhsl, u32 *rhs2, int nw, u32 *maske) { 
tHe C? 


t=nw-1; 

while (t>=0 && ((rhsl[t]émaske[t])==(rhs2[t]&maske[t]))) 
t--; 

if (t<0) 
return 1; 

else 
return 0; 


} 


u8 maskedRHS1BiggerThanRHS2 (u32 *rhsl, u32 *rhs2, int nw, u32 *maske) { 
Le 3c; 


t=nw-1; 
while(t>=0 && (rhsl[t]émaske[t])==(rhs2[t]&maske[t])) 


68 


t--; 

if (t>=0 && (rhsl[t]&maske[t])>(rhs2[t]&maske[t]) ) 
return 1; 

else 
return 0; 


} 


void mergeSortMaskedRightHandSides(u32 **RHS, int nicl, int nw, u32 
xmaske) { 

int niacl, nibcl, i, j, t; 

u32 *tmp, **aRHS, **bRHS, **dl1; 





if (nicl==2 && maskedRHS1BiggerThanRHS2 (RHS[0],RHS[1],nw,maske) ) { 
tmp=RHS [0]; 
RHS[0]=RHS[1]; 
RHS [1]=tmp; 
} 
if (nicl>2) { 
niacl=nicl/2; 
nibcl=nicl-niacl; 
aRHS=RHS; 
bRHS=RHS+tniacl; 
mergeSortMaskedRightHandSides (aRHS, niacl,nw,maske) ; 
mergeSortMaskedRightHandSides (bRHS, nibcl,nw,maske) ; 
dl=(u32 **)malloc(nicl*sizeof (u32 *)); 
i1=j=t=0; 
while(i<niacl && j<nibcl){//ingen er ferdige, ma sammenligne 
if (maskedRHS1BiggerThanRHS2 (aRHS[i],bDRHS[j],nw,maske) ) 


















































dl [t++]=bRHS [j++]; 
else 
dl [t++]=aRHS [i++]; 











} 

if (i==niacl){//aRHS ble ferdig forst, kopierer resten av bRHS 
for (i=j; i<nibcl; ++i) 
dl [t++]=bRHS [i]; 

} 

else{//bRHS ble ferdig fgorst, kopierer resten av aRHS 
for(j=i; j<niacl; ++)j) 
dl [t++]=aRHS[j]; 

} 

//kopierer tilbake i RHS 














for(i=0; i<nicl; ++i) 
RHS [i]=d1 [i]; 
free(dl); 


} 


void computeMaskedSortedRHS (struct eqSymbol *eql, struct eqSymbol *eq2, 
u32 **Ub1, u32 **Ub2, u32 *maske, u32 **U, int 
ncommon) { 
/* Expands RHS's in eql and eq2 so they can be glued together. maske 
shows which bits that must be equal when gluing. */ 
u32 *lokb; 
int i, j, t, sumnl, sumnlw, skev; 
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sumnl=eql->nlinteg2->nlin; 
sumnilw=(sumnl1+31)>>5; 
lokb=(u32 *)malloc(sumnlw*sizeof (u32)); 
t=0; 
for (i=0; i<eql->originalNRHS; ++i){//computes Ub for all right-hand 
sides b in El 
if (eql->RHSexists[i]) 
for(j=0; j3<eql->nw; ++)) 
lokb[j]=eql->b[i] [3]; 
for (j=eql->nw; j<sumnlw; ++)j) 
lokb[j3]=0; 























Uxb (U, sumnl, sumnl, lokb, Ub1 [t++]); 
} 
} 
if (t!=eql->nrhs) printf ("eql->nrhs=%d, t=%sd\n",eql->nrhs,t); 
t=0; 
for (i=0; i<eq2->originalNRHS; ++i){//computes Ub for all right-hand 
sides b in E2 
if (eq2->RHSexists[i]) 
for(j=0; j<eql->nw; ++)) 











lokb[j3]=0; 
skev=(eql->nlin) &é0x1f; 
if (skev==0) { 


for (j=eql->nw; j<sumnlw; ++j) 
lokb[j]=eq2->b[i] [j-eql->nw]; 
} 














else{ 
for(j=0; j<eq2->nw; ++)9) { 
lokb [eql->nw+ 4-1] |=(eq2->b[i] [j]<<skev); 





if (sumnlw>(j+eql->nw) ) 
lokb [eql—->nw+ 4j]=eq2->b[i] [j]>>(32-skev) ; 








} 

} 

Uxb(U, sumnl, sumnl, lokb, Ub2 [t++]); 
} 


} 
if (t!=eq2->nrhs) printf ("eq2->nrhs=%d, t=%sd\n",eq2->nrhs,t); 











free (lokb); 


i=sumnl-ncommon; 
j=0; 
while (i>=32) { 
maske[jtt+]= 
1-=32; 
} 
if (j<sumnlw) { 
maske[j]=(Oxffffffff<<i); 
for(i=jt+l; i<sumnlw; ++i) 
maske[i]=Oxffffffff; 
if (sumnlé0x1f) 
maske[sumnlw-1] &=(1<<(sumn1l&0x1f))-1; 


0; 








} 


//mask in place 
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mergeSortMaskedRightHandSides (Ub1,eql->nrhs, sumnlw,maske) ; 
mergeSortMaskedRightHandSides (Ub2, eq2->nrhs, sumnlw,maske) ; 
} 





int nRHSwhenGlued(struct eqSymbol *eql, struct eqSymbol *eq2) { 
/* Computes number of RHS if gluing eql and eq2 */ 
u32 **Ub1l, **Ub2, *maske, **U; 
int i, j, nn=0, bpl, ppl, bp2, pp2, prod, nw, nl, nc; 











nl=egql->nlinteg2->nlin; 
nw=(n1+31)>>5; 
U=(u32 **)malloc(nl*sizeof (u32 *)); 
nc=computeuU (eql,eq2,U); 
if (nc==0) { 
for (i=0; i<nl; ++i) 
free (U[i]); 
free (U); 
if ((MAXINT/eql->nrhs) <eq2->nrhs) 
return MAXINT; 
else 
return eql->nrhs*eq2->nrhs; 














} 





























Ub1=(u32 **)malloc(eql->nrhs*sizeof (u32 *)); 
for(i=0; i<eql->nrhs; i) 

Ub1 [i]=(u32 *)calloc(nw, sizeof (u32)); 
Ub2=(u32 **)malloc(eq2->nrhs*sizeof (u32 *)); 
for(i=0; i<eq2->nrhs; i) 

Ub2 [i]=(u32 *)calloc(nw, sizeof (u32)); 

















maske=(u32 *)malloc(nw*sizeof (u32)); 








computeMaskedSortedRHS (eql,eq2,Ub1,Ub2,maske,U,nc) ; 





for (i=0; i<nl; ++i) 
free (U[i]); 
free (U); 
bp1l=pp1l=bp2=pp2=0; 
while (bpl<eql->nrhs && bp2<eq2->nrhs && nn<MAXINT) { 
while (bpl<eql->nrhs && bp2<eq2->nrhs && 
'maskedRHSlEqualRHS2 (Ub1 [bp1],Ub2 [bp2],nw,maske) ) { 
if (maskedRHS1BiggerThanRHS2 (Ub1 [bp1],Ub2 [bp2],nw,maske) ) 
bp2t++; 
else 
bplt++; 
}//her er maskert Ubl[bpl] og Ub2[bp2] like, eller en av listene er 
nadd til endes 
ppl=bp1l; 
pp2=bp2; 
while (ppl<eql->nrhs && 
maskedRHSlEqualRHS2 (Ub1 [bp1],Ub1[ppl1],nw,maske) ) 
ppl+t; 
while (pp2<eq2->nrhs && 
maskedRHSlEqualRHS2 (Ub2 [bp2],Ub2 [pp2],nw,maske) ) 
pp2tt; 
//Blokkene fra bpl og bp2 til ppl og pp2 er identiske maskert 
if((ppl-bp1)>0 && MAXINT/ (ppl-bp1) <(pp2-bp2) ) 
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} 


int estimateNRHSwhenGlued(struct eqSymbol 


} 


nn=MAXINT; 


prod=(ppl-bp1) * (pp2-bp2) ; 


if (nn>MAXINI 
nn=MAXINT; 
if (nn<MAXINT) 











nn+=prod; 


bpl=ppl; 
bp2=pp2; 


Free (Ub1); 


Free (Ub2); 





return nn; 


Free (maske) ; 


[—prod) 


for(i=0; i<egql->nrhs; 
free (Ub1[i]); 


for(i=0; i<eq2->nrhs; 
free (Ub2[i]); 


int i, enn, nc, sumnl; 


u32 **M; 








sumnl=eql->n] 
M=(u32 **)mal 


Lintegq2->n] 
lloc(sumnl*sizeof(u32 *)); 


for(i=0; i<eql->nlin; 


M[i]=egql->A[i]; 





for (i=eql->nlin; 














Lins 





i) 





i<sumnl; ++i) 














free (M); 


if ((Log2 (eql-> 


nrhs) +] 


M[i] q2->A[i-eql->n] 
nc=sumnl-rank (M, sumn] 








lin]; 


L, NVAR) ; 


*eql, 


struct eqSymbol *eq2) { 


Log2 (eq2—>nrhs) —- (double) nc) <30.9) { 


if ((log2 (eql->nrhs) +log2 (eq2-—>nrhs) - (double) nc)>0.0) { 


if (eq2->nr 


hs>eql->nrhs) 


enn=(eql->nrhs>>(nc/2) ) * (eq2->nrhs>>(nce-(nc/2))); 


else 


enn= (eq2-> 





if (enn==0) 


enn=1; 


enn=1; 


else 





enn=MAXINT; 


revturn enn; 


*geq) { 


/* Glues together eql and eq2 into geq, 


used afterwards. */ 


int a, 4, 


k, bpl, 


ppl, 


void glue(struct eqSymbol *eql, 


bp2, 


pp2, 


ncommon, 
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t, 


nrhs>>(nc/2)) * (eql->nrhs>>(nce-(nc/2))); 


struct eqSymbol *eq2, struct eqSymbol 


eql and eq2 should not be 


estnnew; 


u32 *maske, **Ub1l, **Ub2, **U, **nyA; 


Ub1=(u32 **)malloc(eql->nrhs*sizeof (u32 *)); 
Ub2=(u32 **)malloc(eq2->nrhs*sizeof (u32 *)); 
gegq->nlin=eql->nlinteq2->nlin; 
geq->nw=(geq->nlint31)>>5; 






































geq->A=(u32 **)malloc(geq->nlin*sizeof(u32 *)); 
for(i=0; i<eql->nlin; i) 

geq->A[i]J=eql->A[i]; 
for(i=0; i<eq2->nlin; i) 























geq->A[eql->nlinti]=eq2->A[i]; 





nyA=(u32 **)malloc(geq->nlin*sizeof(u32 *)); 























U=(u32 **)malloc(geq->nlin*sizeof(u32 *)); 
for(i=0; i<geq->nlin; i) 

nyA[i]=(u32 *)calloc(NWORDS, sizeof (u32)); 
for(i=0; i<eql->nrhs; i) 

Ub1[i]=(u32 *)calloc(geq->nw, sizeof (u32)); 
for(i=0; i<eq2->nrhs; i) 

Ub2 [i]=(u32 *)calloc(geq->nw, sizeof (u32)); 








maske=(u32 *)malloc(geq->nw* sizeof (u32)); 








ncommon=computeU (eql,eq2,U) ; 

UAX (U, geq->A, nyA, geq->nlin, NWORDS) ; 

free (geq->A); 

geq->A=nyA; 

computeMaskedSortedRHS (eql, eq2, Ub1, Ub2,maske, U, ncommon) ; 
stnnew=(eql->nrhs>>(ncommon/2) ) * (eq2->nrhs>>(ncommon-ncommon/2) ); 

if (estnnew<1) 
estnnew=1; 

//perintf ("estnnew=2% (%.3f), ",log2(estnnew) ); 











geq->b=(u32 **)malloc(estnnew* sizeof (u32 *)); 
bpl=pp1l=bp2=pp2=t=0; 
while (bpl<eql->nrhs && bp2<eq2->nrhs) { 
while (bpl<eql->nrhs && bp2<eq2->nrhs && 
!'maskedRHSlEqualRHS2 (Ub1 [bp1],Ub2 [bp2], geq->nw, maske) ) { 
if (maskedRHS1BiggerThanRHS2 (Ub1 [bp1],Ub2 [bp2],geq->nw,maske) ) 
bp2t++; 
else 
bplt++; 
}//her er maskert Ubl[bpl] og Ub2[bp2] like, eller en av listene er 
nadd til endes 
ppl=bp1l; 
pp2=bp2; 
while (ppl<eql->nrhs && maskedRHSlEqualRHS2 (Ub1 [bp1],Ub1[pp1],geq- 
>nw,maske) ) 
ppl+t; 
while (pp2<eq2->nrhs && maskedRHSlEqualRHS2 (Ub2 [bp2],Ub2 [pp2],geq- 
>nw,maske) ) 
pp2tt; 
//Blokkene fra bpl og bp2 til ppl og pp2 er identiske maskert, 
limer alle par 
for(i=bpl; i<ppl; ++i) { 
for(j=bp2; j<pp2; ++j) { 
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geq->b[t]=(u32 *)malloc (geq->nw* sizeof (u32)); 
for (k=0; k<geq->nw; ++k) 
geq->b[t] [k]=Ub1 [i] [k]*Ub2[4] [k];//faktisk liming 





tt+t+; 
if (t==estnnew) {//needs more memory and a better estimate 
if (i==0) 
estnnew*=2; 
else{ 


if (i==eql->nrhs) 
estnnewt=(pp2-4); 
else 
estnnew= (int) ( (double) estnnew/ ( (double) i/ (double) eql- 
>nrhs) ); 
} 
geq->b=(u32 **) realloc(geq->b,estnnew*sizeof (u32 *)); 
} 
} 
} 
bp1l=ppl; 
bp2=pp2; 
} 
geq->originalNRHS=t; 
geq->nrhs=t; 
geq->b=(u32 **) realloc (geq->b, geq->originalNRHS*sizeof(u32 *)); 
geq->RHSexists=(u8 *)malloc(geq->originalNRHS*sizeof (u8) ); 
for(i=0; i<geq->originalNRHS; ++i) 
geq->RHSexists[i]=1; 
if (ncommon>0){//trimmer bort lineert avhengig informasjon 
for (1=geq->nlin-ncommon; i<geq->nlin; ++i) 
free (geq->A[i]); 
gegq->nlin-=ncommon; 
geq->A=(u32 **) realloc(geq->A, geq->nlin*sizeof (u32 *)); 
gegq->nw= (geq->nlint31)>>5; 
if (((geq->nlin+31) >>5) <geq->nw) { 
geq->nw= (geq->nlint31)>>5; 
for(i=0; i<geq->nrhs; ++i) 
geq->b[iJ=(u32 *)realloc(geq->b[i],geq->nw*sizeof (u32) ); 




















} 
} 
gegq->nn=0; 


free (maske) ; 

for(i=0; i<eql->nrhs; i) 
free (Ub1[i]); 

free (Ub1); 

for(i=0; i<eq2->nrhs; i) 
free (Ub2[i]); 

free (Ub2); 

















} 


u8 packSystem(struct system *S, int th) { 
/* Tries to glue together as many equations as possible, with the 


restriction that the number of 
right-hand sides in the glued equation should not be estimated to 


be larger than th. 
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Returns 0 if inconsistencies are found, 
struct egqSymbol *nyE, *tmp; 
int i, j, nnew, minnew, mini, minj, nyneq=0, 
u8 *limt, tryglue, trypack; 





nyB=(struct eqsSym 
tmp=(struct eqsSym 
limt=(u8 *)calloc 








gluetab=(int **)m 
for (i=0; 
gluetab[iJ=(int 
for (i=0; 
for(j=itl; 4<S- 
gluetab[i] [Jj] 
if (gluetab[i] 
j=S->neq; 
1=S->neqt1; 
} 
} 





} 
if (i==S->neq) 
tryglue=1; 
else{//funnet ink 
tryglue=2; 
printf ("inconsi 
} 
while (tryglue==1) 
minnew=tht1; 
for(i=0; i<S->n 
if(!limt[i]) { 
for(j=itl; j< 
if (!limt [j] 
nnew=glue 





[ 
if (nnew<minnew) { 


minnew= 
mini=i; 
minj=J; 


} 


} 
} 
}//her er billi 
if (minnew<=th) { 
glue (S->E+min 





1<S->neq; 


1<S->neq; 


bol *)malloc(S->neqg*sizeof (struct eqSymbol)); 


1 otherwise. 


**gluetab; 


bol *)malloc(sizeof (struct eqSymbol)); 


(S->neq, sizeof (u8) ); 


alloc(S->neq*sizeof(int *)); 
+41) 

*) calloc(S->neq, sizeof (int) 
++i) { 


>negq; ++)){ 





A 











=estimateNRHSwhenGlued (S->Eti 


[j]==0) { 


onsistens 
stency found\n"); 


{ 


eq; ++i) { 
S->neg; ++)){ 
{ 

tab[il [jl]; 


nnew; 


gste liming funnet, hvis 
//mulig aa lime 


1,S->Et+minj,nyEt+nyneq) ; 











nyE[nyneq]. 
limt [mini]=1; 
limt [minj]=1; 
trypack=1; 
while (trypack 
minnew=tht1; 
for(i=0; i<S- 
if (!limt [i] 





nnew=estimateNRHSwhenGlued (S->E+ 


if (nnew== 


qnr=nyneq; 


{ 


>neg; ++i) { 


{ 

















{ 


15 


i,nyE+nyneq) ; 


| 


mulig aa lime under th 


tryglue=2; 
printf ("Inconsistency Found\n"); 
i1=S->neq; 
} 
else{ 
if (nnew<minnew) { 
minnew=nnew; 
mini=i; 


} 


} 
} 
if (tryglue==1 && minnew<=th){//mulig aa putte paa en til 
//exintt (" eg Sd\n",mini) 7 
glue (nyEt+tnyneg, S->Et+mini, tmp) ; 
limt [mini]=1; 
deleteEquation (nyEtnynedq) ; 
nyE [nyneq]=*tmp; 




















} 
else 
trypack=0; 

} 
nyneqtt; 

} 

else 
tryglue=0; 

}//har pakket saa godt som mulig, kopierer ulimte symboler 
if (tryglue<2) 

for(i=0; i<S->neq; ++1) { 
if (limt[i]) 
deleteEquation(S->E+ti); 
else{ 
nyE[nyneq]=S->E[i]; 
nyE[nyneq] .eqnr=nyneq; 
nyneqtt; 
} 

} 

free (S->] 

S->E=nyk; 

S->neq=nyneq; 

for(i=0; i<S->neq; ++i) 
S->E[i].eqnr=i; 











Et 
by 
Et 
by 

















{fe 
~~ 
x 

















} 

free (limt); 

for(i=0; i<S->neq; ++1) 
free (gluetab[i]); 

free (gluetab); 

if (tryglue==2) 
return 0; 

return 1; 
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4. LINKING.h 


/* Methods for linking equations in system */ 


void zeroPrepend(u32 *b, int lb, int nzeros, u32 *x) { 
int xw, nOw, lbw, skev, i; 


nOw=(nzeros>>5); 
xw=(lb+nzerost31)>>5; 
lbw=(1b+31)>>5; 
for(i=0; i<xw; ++i) 








x[i]=0; 
skev=(nzerosé0x1f); 
if (skev) { 
for (i=0; i<lbw; ++i) { 
x[itn0Ow] |=(b[i]<<skev); 
if ((i+n0w) <(xw-1) ) 
x[itn0Owt1] |=(b[i]>>(32-skev) ); 
} 
} 
else{ 


for (i=0; i<lbw; ++i) 
x[itn0Ow]=b[i]; 


} 


void zeroAppend(u32 *b, int lb, int nzeros, u32 *x) { 
int i, xw, lbw; 


lbw=(1b+31)>>5; 








xw=(lb+nzerost+31)>>5; 

for (i=0; i<lbw; ++i) 
x[i]=b[i]; 

for(i=lbw; i<xw; ++i) 
x[i]=0; 





int collapseCellIDlist (struct bitVector *vl, int nil) { 
int bp=0, pp=1; 


while (pp<nil) 

while (pp<nil && vOEqualV1 (vl[bp],vl[pp])) 
free (vl[pptt+].v); 

if (pp<nil) 























return bpt1; 
} 





int findCellIndex(struct bitVector *vl, int nil, struct bitVector 
target) { 
int bunn, topp, midt; 


if (vOGreaterThanVl (v1[0],target))//target smaller than smallest in vl 
T7 


return —1; 
if (vOGreaterThanVl (target,vl[nil-1]))//target greater than largest in 





vi 
revurn. =; 
if (vOEqualV1 (v1[0],target) 
return 0; 
oie 











) 


(vOEqualV1 (vl [nil-1],target) ) 





return nil-1; 


//Know target is not inside boundary of vl 

bunn=0; 

topp=nil-1; 

while ((topp-1)>bunn) { 
midt=(bunn+topp) /2; 








if (vOEqualV1 (vl [midt],target) ) 


return midt; 


if (vOGreaterThanVvl (vl [midt],target) ) 


topp=midt; 


else 


bunn=midt; 


return -1; 


} 


void establishSmallLink (struct eqSymbol *eq0, struct eqSymbol *eql, 


struct linkSymbol *ls, u32 **MO, 


int commondim) { 


/* Spaces spanned by A-matrices in equations overlap in few 


dimensions, 





int i, Jj, sumnl, sumnlw; 
u32 *x, *ci; 








sumnl=eq0->nlintegl->nlin; 
sumnilw=(sumnl1+31)>>5; 


Ss 











—>nlist [0]=eq0; 





























constructs a link with 2¢r cells */ 

















1ls->nlist [1]=eq1; 
eq0->link[eqO0->nn]=1s; 
egql->link[eql->nn]=1s; 
1ls->ncells=(1<<commondim) ;//commondim should be small enough for this 
ls—>cellExists=(u8 *)malloc(ls-—>ncells*sizeof(u8)); 
for (i=0; i<2; ++1) 

ls->nCover[i]J=(int *)calloc(ls->ncells, sizeof (int)); 
eq0->coverlID[eq0->nn]=(u32 *)malloc (eqO0->originalNRHS*sizeof (u32)); 
eql->coverID[eql->nn]=(u32 *)malloc(eql->originalNRHS*sizeof (u32)); 
x=(u32 *)malloc(sumnlw*sizeof (u32)); 
ci=(u32 *)malloc(sizeof (u32)); 
/* Establish connections for eqOd */ 
for(i=0; i<eqO->originalNRHS; ++i) { 


if (eqO->RHSexists[i]) { 





zeroAppend (eqd0->b[i],eq0->n]l 
l,X,Ci); 


Uxb (MO, commondim, sumn] 
1ls->nCover[0] [ci[0]]+4 








eq0->coverID[eq0->nn] 


ijJ=ci 


Lin,eql->nlin, x); 


1’ 


Ol; 
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} 

/* Establish connections for eql */ 

for(i=0; i<eql->originalNRHS; ++i) { 
if (eql->RHSexists[i]) { 





zeroPrepend(eql->b[i],eql->nlin, eqO0->nlin,x); 


Uxb (MO, commondim, sumnl,x,Ci); 
1ls->nCover[1] [ci[0]] : 
eql->coverID[eql->nn] [i]=ci[0]; 








} 


for (i=0; i<ls->ncells; ++i) { 





if (1ls->nCover[0] [i]>0 | 1ls->nCover[1] [i]>0) 


ls->cellExists[i]=1; 
else 
ls->cellExists[i]=0; 























} 
eq0->nnt++; 
egql->nnt++; 














free (x); 
free(ci); 


void establishBigLink (struct eqSymbol *eqmin, struct eqSymbol *eqmax, 


struct linkSymbol *ls, u32 **MO, int commondim) 


/* Constructs a link where the equations overlap in too many 
dimensions. The (number of) cells in the link is based on 
the right-hand sides from the smallest equation */ 
int i, j, t, sumnl, sumnlw, lcw, newNcell, cellindex; 


u32 *x; 
struct bitVector ci; 











sumnl=eqmin->nlint+tegqmax->nlin; 
sumnlw=(sumn1+31)>>5; 
lew=(commondimt+31)>>5; 
ls->nlist [0]=eqmin; 

ls—>nlist [1]=eqmax; 
eqmin->link[eqmin->nn]=l1s; 
egqmax->link [eqmax->nn]=1s; 
ls-—>ncells=eqmin->nrhs; 
































if (ls->ncells==0) {printf ("(establishBigLink) Equations %d and %d 





inconsistent \n",eqmin->eqnr, eqmax->eqnr) ;exit (0); } 

















ls-—>cellID=(struct bitVector *)malloc(] 
bitVector) ); 
for(i=0; i<2; ++1) 





ls->cellExists=(u8 *)malloc(ls->ncells*sizeof(u8)); 


ls-—>ncells*sizeof (struct 





ls->nCover[i]=(int *)calloc(ls->ncell 





ls,Ssizeof(int)); 


eqmin->coverlID[eqmin->nn]=(u32 *)malloc (eqmin- 


>originalNRHS*sizeof (u32)); 











eqmax->coverID[eqmax->nn]=(u32 *)malloc (eqmax- 





>originalNRHS*sizeof (u32)); 
x=(uU32 *)malloc(sumnlw*sizeof (u32)); 


Ci.v=(u32 *)malloc(lcw*sizeof (u32)); 
ci.length=commondim,; 
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ci.wl=lcew; 





/* Establish connections for eqmin */ 


t=0; 





for(i=0; i<eqmin->original 


if (eqmin->RHSexists 





i]) 


NRHS; ++i) { 





zeroAppend (eqmin->b[i 
Uxb (MO, commondim, sumn] 
ls->cellID[t].wl=lcw; 
ls->cellID[t] .length=commondim,; 
ls->cellID[t].v=(u32 *)malloc(lcw*sizeof (u32)); 
for(j=0; j<lcw; ++)) 
=ci.v[j]; 




















H 


ls->cell 
tty 


D[t] .v[j 

















,eqmin->nlin, eqmax->nlin, x); 
Li CR 7) s 


} 
}//all different cellIDs, with repetition, created 





if (t!=eqmin->nrhs) {printf ("(establishBigLink)More existing RHS's 


in eqmin than egqmin->nrhs=%d says!\n", 
t,eqmin->nrhs) ;exit (0); } 
mergeSortBitVectors (ls—->cellID,1s-—>ncells); 
newNcell=collapseCellIDlist (ls->cellID,1ls-—>ncells); 

















if (newNcell<ls->ncells) { 























ls->ncells=newNcell;//the actual number of cells in this link 














>ncells*sizeof (struct bitVector)); 


} 
for (i=0; i<2; ++1) 





ls->nCover[i]=(int *)cal 
for(i=0; i<eqmin->original 





if (eqmin->RHSexists 





zeroAppend (eqmin->b [i 


i]) 


,eqmin->n] 








Uxb (MO, commondim, sumnl, x 
cellindex=findCellIndex ( 


,Cl.v); 





if (cellindex==-1) 
cellID!");exit (0); } 


printf 


eqmin->coverID[eqmin->nn 
ls-—>nCover [0] [cellindex] 


} 





}//link to eqmin created 
/* Establish connections for eqmax */ 





for(i=0; i<eqmax—>original 


if (eqmax-—>RHSexists 


[i]}) 


ls->cellID=(struct bitVector *) realloc(ls-—>cellID,1s- 


lloc(ls-—>ncells, sizeof (int)); 
NRHS; ++i) { 


in, eqmax-—>nlin, x); 





s->cellID,1s-—>ncells,ci); 











[i]=cell] 


("(establishBigLink) fant ikke 


index; 








++; 


INRHS; ++i) { 


zeroPrepend (eqmax->b[i],eqmax->nlin, eqmin->nlin, x); 
Uxb (MO, commondim, sumnl, x 
cellindex=findCellIndex(ls->cellID,1s-—>ncells,ci)j; 








7,GLeor)? 





if (cellindex==-1)//RHS i does not agree with eqmin 
deleteRHS (eqmax, i); 





else{ 


eqmax-—>coverID[eqmax->nn] [i] =cellindex; 
1ls->nCover[1] [cellindex]++; 


} 
} 


}//links created, no more use for cellID, deletes it 
for(i=0; i<ls->ncells; ++i) 
free(ls->cellID[i].v); 





free (ls->cellID); 


80 


(sd) 




















ls->cellExists=(u8 *)malloc(ls-—>ncells*sizeof(u8)); 
for (i=0; i<ls->ncells; i) { 
if (ls->nCover[0] [i]>0 | 1ls->nCover[1] [i]>0) 
ls->cellExists[i]=1; 
else 
ls-—>cellExists[i]=0; 














} 
eqmin->nnt+t+; 
eqmax->nntt+; 














free (x); 
free(ci.v); 


void tryEstablishLink (struct system *S, int eqnr0, int eqnrl) { 
struct eqSymbol *eqmin, *eqmax; 
struct linkSymbol *1s; 




















int i, commondim, sumnl;// !! deleted var: , sumnlw; 
u32 **U; 
if (S->E[eqnr0] .nrhs<S->E[egqnr1].nrhs) { 
eqmin=S->Et+eqnr0; 
eqmax=S->E+egnrl; 
} 
else{ 
eqmin=S->E+eqnrl; 
eqmax=S-—>Et+eqnr0; 


}//eqmin goes on top when computing U! 
sumnl=eqmin->nlint+tegqmax->nlin; 
// !! deleted var: sumnlw=(sumnl1+31)>>5; 
U=(u32 **)malloc(sumnl*sizeof(u32 *)); 
commondim=computeU (eqmin, eqmax,U) ; 
if (commondim>0) {/* eqmin and egmax can exchange information, 
establish link */ 
1ls=S->L+S-—>nlink; 
1ls->linknr=S->nlink; 
if (commondim<32 && (1<<commondim) <eqmin->nrhs) 
establishSmallLink (eqmin, eqmax, 1s, U+(sumnl-commondim) , commondim) ; 
else 
establishBigLink (eqmin, eqmax, 1s, U+(sumnl-commondim) , commondim) ; 
S->nlink+t+; 
} 


























for(i=0; i<sumnl; ++i) 
free(U[i]); 
free (U); 


void linkSystem(struct system *S) { 

/* Establishes connections for all pairs of equations that can 
exchange information */ 

int i, j, eqOni, eqlini; 

struct eqSymbol *eq0, *eql; 

struct linkSymbol *1s; 


S->nlink=0; 
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for(i=0; i<S->neq; ++1) { 
S->E[i] .nn=0; 
S->E[i].coverID=(u32 **)malloc((S->neq-1) *sizeof (u32 *)); 
S->E[i].link=(struct linkSymbol **)malloc((S->neq-1) *sizeof (struct 
linkSymbol *)); 








S->L=(struct linkSymbol *)malloc(((S->neq* (S->neq 
1))/2)*sizeof (struct linkSymbol)) ; 
for(i=0; i<S->neq-1; ++i) { 
for(j=itl; 3<S->negq; ++)) 
tryEstablishLink(S,i,j); 











} 

S->L=(struct linkSymbol *)realloc(S->L,S->nlink*sizeof (struct 
linkSymbol)); 

for(i=0; i<S->neq; ++1) { 

S->E[i].coverID=(u32 **)realloc(S->E[i].coverID,S- 

>E[i].nn*sizeof(u32 *)); 
S->E[i].link=(struct linkSymbol **) realloc(S->E[i].link,S- 
>E[i].nn*sizeof (struct linkSymbol *)); 

} 
} 



































void deLinkSystem(struct system *S) { 
/* Removes all links in S and frees the memory */ 
Re 7 
struct eqSymbol *eq; 
struct linkSymbol *1li; 











for (eq=S->E; egq<S->E+S-—>neq; ++eq) { 
if (eq->nn>0) { 
for(i=0; i<eq->nn; ++i) 





free (eq->coverID[i]); 
free (eq->coverID) ; 
free (eq->link); 
eq->nn=0; 


} 





} 

for (li=S->L; 1i<S->L+S->nlink; +411) { 
free (li->nCover[0]); 
free (li->nCover[1]); 
free (li->cellExists); 

} 

free (S->L); 

S->nlink=0; 

} 














void makeLinkTab(struct system *S, int **LT) { 











Eis baer 
for(i=0; i<S->neq; ++1) 
LT[iJ=(int *)calloc(S->neq, sizeof (int)); 
for(i=0; i<S->nlink; ++i) { 
iT[S->L[i] .nlist [0] -—(S->E) ] [S->L[1].nlist[1]-(Ss- 
>E) J=(int) ceil (log2(S->L[i].ncells)); 
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LT [S->L[i] .nlist[1]-(S->E) ] [S->L[i] .nlist[0]-(S- 
>E) J=(int) ceil (log2 (S->L[i].ncells)); 
} 
} 














void printLinkTab(int **LT, int n){ 
Loe dy yy 


for (i=0; i<n; ++i) { 
for(j=0; j<n; ++35){ 
printf ("%2d",LT[i] [j]); 
if ((44+1) %5==0) 
prance (I ") 

} 

Lf ((i+1) $5==0) { 
printf ("\n"); 
for(j=0; j<n; ++)3) 
prance ("=="); 
for (j=0; j<n/5; ++3) 
prLanest ("="); 

} 

printf ("\n"); 

} 
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APPENDIX B 


(These codes are intended only to be used for experiments with the 
MRHS method, and neither their author nor the author of this thesis takes any 


responsibility for their use). 


A. GENERATION OF AN EQUATION 


/* 
aes_eqs.c 
D. Canright 2008 Sep 10 Wed 12:44:56 

Generate MRHS Equations for 

Small-scale Variants of the AES algorithm 

Also does the encryption! 

Notes: always uses * form: last round no MixCols 
always keysize = block size 

optional command line arguments: 














variant (string) = "nrce" to specify small-scale variant of AES: 
n (hex) is # rounds ( 1 —- A; default=A=10 ) 
r (int) is # rows (1, 2, 4; default=4 ) 
c (int) is # cols (1, 2, 4; default=4 ) 





e (int) is # bits in word ( 2, 4, 8; default=8 ) 
defaults are "A448" for standard AES = SR*(10; 4; 4; 





8) 
input (hex) = plaintext block (default is zero block) 
output (hex) = key block (default is zero block) 
outfile (string) = filename of output file (default is stdout) 


while all the above are optional, you must have one to have the next... 





save all the X state data (output of S-box after ShiftRows) and K key 
data, 
print it out after the equations. 
encryption re-organized the to give the X state: 
put ShiftRows before S-box, as part of previous round 
do NOT do "in place"; rather, put result in new place. 
(ARS) (MARS)*(n-1) (A) rather than 
(A) (SRMA)*(n-1) (SRA) [where R is RowShift, S is SubstBytes, ...] 
Does actual KeySchedule and Encrypt. 
(Note: keep InvMix in case do non-star versions). 
“7 
#include <stdio.h> 
#include <string.h> 








#define MAXROUNDS 10 

#define MAXROWS 4 

#define MAXCOLS 4 

#define MAXBITS 8 

#define MAXBLOCK MAXROWS*MAXCOLS 

#define MAXKEY MAXBLOCK 

#define MAXVARS MAXROUNDS*MAXROWS* (MAXCOLS+1) 
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#define S 


unsigned 
unsigned 
unsigned 
unsigned 
int nRoun 
block, 
KeyBi 
int nEqs, 
unsigned 





enum InOut { In, 


enum VarT 


unsigned 


R(c,r) ( (ctr) & 


char RoundKeys[ (MAXROUNDS + 1) 


(nCols-— 


1) ) 








* MAXBLOCK] ; 


char States[(MAXROUNDS + 2) * MAXBLOCK]; 

int *Log; 

char *ALog, *Sbox, *Mix, *InvMix, fieldmask; 

ds = 10, nRows = 4, nCols = 4, nBits = 8, star = 1, field, 

ts, KeyCols, nkKeyCols; 

nVars, nkKeyVars; 

char PT[MAXBLOCK], CT[MAXBLOCK], Eq[2] [MAXVARS], Data[2]; 
Out. }s 

ype { Key, X, State }; 


int Log8[256] { 


0x00,0x00,0x19,0x01,0x32,0x02,0x1A, 0xC6, 0x4B, 0xC7, 0x1B, 0x68, 0x33, OxEE, 0 


xDF,0x03, 
0x64,0x04 
x1C,0OxCl, 


Ox7D, 0xC2,0x1D, 0xB5, OxF9, 0xB9, 0x27, 0Ox6A, Ox4D, 0x 


x09,0x78, 
0x65, 0x2F 
xDA, 0x8! 
0x96, 0x 
x83,0x38, 
0x66, 0xD 
x91,0x10 
Ox7E,0x6 
x3D,0xBA, 


a 
Sy 





f 














0x2B, 0x79, 0x0A, 0x15, 0x9B, 0x9F, 0x5! 


xA7,0x57, 
OxAF, 0x58 
xAD, OxE8, 
Ox2C,0xD7 
x51,0xA0, 





Ox7F,0x0C, OxF6, Ox6F,0x17,0xC4,0x49, 0x 


x7B,O0xB7, 
OxCC, 0xBB 
x29,0x9D, 
0x97,0xB2 
x5B,0xD1, 


0x53,0x39,0x84, 0x3C, 0x41, 0xA2,0x6 


xD3, OxAB, 





XE3,0xA5, 
0Ox67,0x4A 
x70,0x07, 
}; 


unsigned 


0x01,0x03,0x05, 0x0F,0x11,0x33,0x55, OxFF, Ox1A, 0x2! 


x13,0x35, 








E0, 0x0 





, OX 





EB, 0x34,0x8D, 0x81, 0x 








BF,Ox4C,0x71,0x08, 0xC8, OxF8, 0x69, 0 


B4,O0xA6, 0x72,0x9A, 0xC9, 0 


,Ox8A,0x05,0x21,0x0F, O0OxE1,0x24,0x12, 0xF0, 0x82, 0x45, 0x35,0x93,0 





8F,0xDB, 0xBD, 0x36, 0xD0,0xC 


EF, 0x48,0xC3, 0xA3,0xB6, 0x1 


,OxXA8,0x50, 0OxF4, OXEA, 0xD6,0x74, 0Ox4F,0xA 











BE, 0x94,0x13,0x5C,0x 


BE, OXCA, 0x4! 








FE, OxD4, OxXAC, Ox 











EL, OXE 





D2, 0xF1,0x40,0x46,0 
D, OxFD, 0x30, OxBF, 0x06, 0x8B, 0x62, 0xB3, 0x25, OxE2, 0x98, 0x22,0x88,0 


BE, 0x42, 0x3A, 0x6B, 0x28, 0x54, OxFA, 0x85, 0 


E5,0xF3,0x73,0 





9,0xD5, OxE7, OxE6, 0 


,0x75,0x7A, OXEB, 0x16, 0x0B, OxF5, 0x59, 0xCB, 0x5F,0xBO, 0x9C, OxA9, 0 








EC,OxD8,0x43,0x1F, 0x2D, 0xA4, 0x76, 0 


,OxX3E,0x5A, OxFB, 0x60, 0xB1,0x86, 0x3B, 0x52, 0xA1,0x6C, 0OxAA, 0x55, 0 








,0x87,0x90,0x61,0xBE, 0xDC, OxXFC, 0xBC, 0x95, OxCF, OxCD, 0x37, 0x3F,0 








ED, OxD 





, OX 





char ALog8 [256] { 





D,0x47,0x14, 0x2A, 0x9 








EB, Ox5D,0x56, 0OxF2,0 


0x44, 0x11,0x92,0xD9,0x23,0x20,0x2E, 0x89, 0xB4, 0x7C, OxB8, 0x26, 0x77, 0x99,0 


BE, O0xC5,0x31, 0OxFE, 0x18, 0x0D,0x63,0x8C,0x80,0xC0O, OxF7,0 


B,0x72,0x96, OxAl, OxF8, 0 


Ox5F, OxE1, 0x38, 0x48, 0xD8, 0x73,0x95, 0xA4, OxXF7, 0x02, 0x06, 0x0A, Ox1E, 0x22,0 





x66, O0xAA, 


86 


Ox! 
xE6,0x31, 














B5,0x34,0x5C, 0OxE4, 0x37,0x59, OxEB, 0x26, 0x6A, OXBE, 0xD9,0x70, 0x90, OxXAB, 0 








0x53, 0xF5,0x04, 0x0C, 0x14, 0x3C, 0x44, 0xCC, 0x4F, 0xD1, 0x68, 0xB8, 0xD3, 0x6E, 0 


xB2,0xCD, 





Ox4C, 0xD4, 0x67, 0xA9, OXEO, 0x3B, 0x4D, 0xD7, 0x62, OxA6, OXF1,0x08,0x18,0x28,0 


x78,0x88, 


0x83, 0x9E, 0xB9, 0xD0O, 0Ox6B, 0xBD, OxDC, 0Ox7F,0x81,0x98,0xB3, 0xCE, 0x49, 0xDB, 0 





x76,0x9A, 





0xB5,0xC4, 0x57, O0OxF9, 0x10, 0x30,0x50, 0xF0, 0x0B, 0x1D, 0x27, 0x69, 0xBB, 0xD6, 0 


x61,0xA3, 
OxFE, 0x19, 0x2B, 0x7 
x60,0xA0, 





D,0Ox87,0x92,0xAD, 0x 








EC,Ox2F,0x71,0x93,0xA 








E, OXE9, 0x20, 0 





OxFB, 0x16, 0x3A, 0x4E, 0xD2, 0x6D, 0xXB7, 0xC2,0x5D, 0xE7, 0x32, 0x56, OxFA, 0x15, 0 


x3F,0x41, 
OxC3, 0x5E, 0x 
xDA, 0x75, 
Ox9F,OxBA, 0x 
x89,0x80, 











B2,0x3 

















D,0x47,0xC9,0x40, 0xC0O, 0x5B, OxXED, 0x2C, 0x74, 0x9C, OxBF, 0 








D5,0x64, 0xAC, OxEF, 0x2A, Ox7E, 0x82, 0x9D, 0xBC, OxDF, 0x7A, 0x8E, 0 





0x9B, 0xB6, 0xC1, 0x58, 0xE8, 0x23,0x65, OxXAF, OXEA, 0x25, Ox6F, 0xB1,0xC8,0x43,0 


xC5,0x54, 


OxFC, Ox1F,0x21,0x63,0xA5, 0xF4,0x07,0x09,0x1B, 0x2D, 0x77,0x99, 0xBO, 0OxCB, 0 


x46, 0xCA, 
0x45, 0xCF, 0x4A, 0x 
xF3,0x0E, 
Ox12,0x36, 0x5A, 0x 
x0D,O0x17, 


D 














r 





E,0x79,0x8B, 0x86, 0x91,0xA8, 0x 








E3,0x3 





E,0x42,0xC6,0x51,0 





B,0x29,0x7B, 0x8D,0x8C, 0x8F, 0Ox8A, 0x85,0x94, OxA7, OxF2, 0 


0x39,0x4B, OxDD, 0x7C, 0x84, 0x97, 0OxA2, OXFD, OxX1C, 0x24, 0x6C, 0xB4, 0xC7,0x52,0 


xF6,0x01, 
}; 


0, 
}; 


Oo, 41, 4, 


unsigned char ALog4[16] 
I, 2, Ay 8% By 6; 
}; 

unsigned int Log2[4] = { 
0; 0; 
hi 
unsigned char ALog2[4] = { 
ys Ty, By alee 

}; 


unsigned char Sbox8[256] = { 


0x63,0x7C,0x77,0x7B, OxXF2, 0x6B, Ox6F, 0xC5,0x30,0x01,0x67,0x2B, OxXFE, 0xD7,0 


xAB, 0x76, 


OxCA, 0x82, 0xC9, 0x7D, OxFA, 0x59,0x47, 0xF0, OxXAD, 0xD4, OxA2, OxXAF, 0x9C, 0xA4,0 


x72,0xC0, 


OxB7, OxFD, 0x93, 0x26, 0x36, 0x3F, OxF7, 0xCC, 0x34, 0xA5, OXE5, OxF1,0x71,0xD8,0 


x31, 0x15; 








0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0Ox9A, 0x07, 0x12, 0x80, OxE2, OxXEB, 0x27, 0 


xB2,0x75, 


87 


0x09,0x83,0x2C, Ox1A, 0x1B, 0x6 


x2F,0x84, 


0x53,0xD1,0x00, 0x 


x58,0xCF, 











ED,0x20,0xFC, 0xB1,0x5B, 0x6A, 0xCB, 0xB 


BE, Ox5A,OxA0, 0x52,0x3B, 0xD6, 0xB3, 0x29, 0xE 








3,0 


E, 0x39, 0x4A, 0x4C, 0 


OxDO, OxEF, OxAA, OxFB, 0x43, 0x4D, 0x33, 0x85,0x45, 0OxF9, 0x02, 0x7F,0x50,0x3C,0 


x9F,0xA8, 


0x51,0xA3,0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, OxDA, 0x21,0x10, OxFF, 0 


xF3,0xD2, 


OxCD, 0x0C,0x13, 0x 


x19,0x73, 


0x60,0x81,0x4F, 0x 


x0OB, OxDB, 


OxEO, 0x32,0x3A, 0x0A, 0x49, 0x06,0x24, 0x5C,0xC2, 0x 


xE4,0x79, 





OxE7,0xC8,0x37,0x6 





xAE, 0x08, 


OxBA, 0x78,0x25,0x2 


x8B,O0x8A, 





0x70, 0x3E,0xB5,0x66,0x48, 0x03, 0xF6, 0x0! 


x1D,0x9E, 








OxEl1, OxF8,0x98,0x11,0x69,0xD9, 0x8E, 0x94, 0x9B, 0x1 


x28,0xDF, 


Ox8C, 0OxAl, 0x89, 0x0D, OxBF, 0x 


xBB, 0x16, 
}; 


unsigned char Sbox4[16 





D,0x8D,0xD5, 0x4! 





DC, 0x22, 0x2A,0x90,0x88, 0x46, 0x 





EB, Ox1lC,O0xA6, 0xB4,0xC6, 0x 








= tt 














BE, OxA9,0x6C, 0x56, OxF4, 0x 











EC, Ox5F,0x97,0x44,0x17,0xC4, OxA7, OX7E, 0x3D, 0x64,0x5 





D, 0 





1E, OXB8, 0x14, 0xDE, 0x5 








EB, 0 











BE, O0x87,O0xE9, OxCE, 0x5 











] 
0x6, 0xB, 0x5,0x4,0x2,0xE, 0x7, 0OxA, 0x9, OxD, OxF, 0xC, 0x3, 0x1,0x0,0x8, 


hi 


unsigned char Sbox2[4] 


2 3y iy 0, 
}; 


unsigned char Mix4[4] 
0x2,0x3,0x1,0x1, 


hi 





=a 


unsigned char InvMix4[4] = { 





OxE, OxB, OxD, 0x9, 


hi 


unsigned char InvMix42[4] = { 


0x0,0x2,0x3,0x0, 


hi 


unsigned char Mix2[2] 


0x3,0x2, 
}; 


unsigned char Mix1[1] 


Oxl1, 
}; 


// maltiiply by "2" an 


field 
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D3, OxXAC, 0x62,0x91,0x95,0 
BA,0Ox65,0x7A,0 
E8,O0xDD, 0x74, 0x1F,0x4B, 0xBD, 0 


BE, 0x61,0x35,0x57,0xB9, 0x86, 0xC1,0 


5,0 


E6,0x42,0x68, 0x41, 0x99, 0x2D, 0x0F, 0xBO, 0x54, 0 


#define POLY8 
#define POLY4 
#define POLY2 
unsigned char 
unsigned char 





unsigned 
y=x << 
if (x & 


return( y 


} 


Ox1B 
0x13 
0x07 
HIBIT, 
mul2 
char y; 
1; 
HIBIT ) 
\; 


POLY; 


y 


“= POLY; 


// multiply two bytes in field 
unsigned char mul(unsigned char x, 


{ 


if (x && y) 
return 
else 
return (0); 


} 


#include "eqs_io.h" 


// set up specific small-scale variant of A 
// assumes main() 


int setup (vo 


{ 


Int. retu 


id) 


rnval = 0; 


(ALog[ (Log [x] 


already set: 


vl 


(unsigned char x) { 


+ Logly]) 


unsigned char 


// include I/O package 


// check parameters for validity 











if (nRounds < 1 
nRounds = 10; 
returnval = 1; 

} 

if (!(nCols == 1 
nCols = 4; 
returnval = 1; 

} 

switch (nBits) { 

case 2: 

Log = Log2; 

ALog = ALog2; 
Sbox = Sbox2; 
POLY = POLY2; 
field = 4; 
break; 

case 4: 

Log = Log4; 

ALog = AlLog4; 
Sbox = Sbox4; 
POLY = POLY4; 
field = 16; 
break; 

default: 
nBits = 8; 


nRounds > 


nRounds, 


MAXROUNDS ) 


2 
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nCols 





ES 
nRows, 


{ 


nCols; 


)) 


{ 


nBits, 


star 


retur 
case 8: 
Log 
ALo 
Sbox 
POLY 
field 
break 





switch 
case l: 
Mix 
break 
case 2: 
Mix 
break 
default 


nRows = 


retur 
case 4: 
Mix 
InvMi 
break 


} 

fieldma 
HIBIT 
setScal 
block 
KeyBits 
KeyCol 
KeyVar 











return 


int KeySche 
{ 
int col 
int xc; 
unsigne 


colbits 
KeyCols 
#define NOI 
#if NOISY 
fprintf(s 
Key=% 
colbits, 


td 


K 


nval // if bad value, fall thru 


= 1; use default, 


= Log8; 

g ALog8; 

= Sbox8; 

POLY8; 
256; 


, 


(nRows) 


InvMix Mixl; 


1, 


InvMix Mix2; 


, 
4; 
nval 


oe // if bad value, use default, fall thru 


Mix4; 
(nBits 


x 2? InvMix42 


) 


InvMix4; 
, 


sk field - 
1 << (nBits 1); 
e(); // set up bit matrices for scalars 


nRows * nCols; 








= block * nBits; 
s = (nRounds + 1) * nCols; 
s = block + nRounds * nRows; 
nKeyVars + block * (nRounds - 1); 
nVars; 
returnval; 


dule(unsigned char Key[]) 


bits, returnval 0; 
Cy 

d char col[MAXROWS], t, recon; 
= nRows * nBits; 

KeyBits / colbits; 


0 


SY 





rr,"—-KeySched: colbits=%d, KeyCols=%d, 





nKeyCols=%d, 


eyCols, nKeyCols, Key); 


engi 
fprintf(s 
Loe (Ur 
"SO1X 
fprin 


tderr, "—Key: 
0; 
Key[r]); 

Edérr, “\n")< 











r < block; 


Py 


rd 





t+) fprintf(stderr, ((nBits>4) ? "%S0O2x" 


fflush(stderr); 
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#endif 
/* Copy key */ 
for (c = 0; c < KeyCols; ctt) 


for (r = 0; xr < nRows; rtt) 
RoundKeys[r + nRows * c] = Key[r + nRows * c]; 
for (r = 0; xr < nRows; rtt) 
col[r] = Key[r + nRows * (c - 1)]; 
#if NOISY 


fprintf(stderr, "—-KeySched: Key copied; c=%d, col= ", c); 

for (r = 0; r < nRows; r++) fprintf(stderr, (nBits>4) ?"S02X":"%S01X", 
col[r]); 
fprintf(stderr,"\n"); fflush(stderr); 








#fendif 
for (rcon = 1; c < nKeyCols; ctt+) { 
/* calculate new columns until enough */ 
if (c % KeyCols == 0) { 
t = col[0]; 
for (r = 0; xr < (nRows - 1); rtt) 
col[r] = Sbox[col[r + 1]]; 
col[nRows - 1] = Sbox[t]; 
col[0O] *= rcon; 
#if NOISY 


fprintf(stderr, "-KeySched: apply F; t=%X, rcon=%X, col= ", t, recon); 
for (r = 0; r < nRows; r++) fprintf(stderr, (nBits>4) ?"S02X":"%S01X", 

col[r]); 

fprintf(stderr,"\n"); fflush(stderr); 








#fendif 
reon = mul(2, rcon); 
} 
// need to handle KeyCols = 1 differently 
for (r = 0; xr < nRows; rtt) 
RoundKeys[r + nRows * c] = (KeyCols == 1) ? col[r] 
(col[{r] *= RoundKeys[r + nRows * (c -— KeyCols)]); 
#if 0 
fprintf(stderr, "-KeySched: RoundKeys col[%d]= ", c); 


for (r = 0; r < nRows; r++) fprintf(stderr, (nBits>4) ?"S02X":"%S01X", 
RoundKeys[r + nRows * c]); 
fprintf(stderr,"\n"); fflush(stderr); 
#endif 
} 


return returnval; 


} 


// do one round on block: (ARS) for #0 or else (MARS) 
void doround(unsigned char State[], unsigned char roundKey[], 
int round) 
{ 
unsigned char t [MAXROWS]; 
int i, r, c, offset=0; 


if (round) // if normal round 
for (c = 0; c < nCols; c++) { 
for (r = 0; xr < nRows; rtt) 
for (t[r] =i = 0; i < nRows; itt) 
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tle] “= // MixColumns 



































mul (Mix[i], State[((r + i) % nRows) + nRows * 
c]); 
for (r = 0; xr < nRows; rtt) 
State[block + r + nRows * c] = t[r]; 
} 
lse offset = -block; 
State += block; 
for (i = 0; i < block; itt) 
State[i] = State[offset+i] * roundKey[i]; // AddRoundKey 
for (r = 1; r < nRows; rt+t) {f{ 
for (c = 0; c < nCols; ct+t) // ShiftRows 
t{c] = State[r + nRows * ((c + r) % nCols)]; 
for (c = 0; c¢ < nCols; c++) 
State[r + nRows * c] = t[c]; 
} 
for (i = 0; i < block; itt) 
State[i] = Sbox[State[i]]; // SubBytes 


} 


// do round #n on block: (A) 
void doroundn(unsigned char State[], unsigned char roundKey[]) 
{ 


Sith. 15 


for (i = 0; i < block; itt) 
State[block + i] = State[i] * roundKey[i]; ii 
AddRoundKey 
} 


// encrypt block (NOT in place - keep output of each S-—box) 
void encrypt ( void ) 
{ 


int i, round; 


for (i = 0; i < block; itt) 

States[i] = PT[il]; // copy PT in 
for (round = 0; round < nRounds; roundtt+) { 

doround( States + round*block, RoundKeys + round*block, 

} 
doroundn (States + round*block, RoundKeys + round*block); 
for (i = 0; i < block; itt) 

CT[i] = States[(nRounds+1) *block + i]; // copy CT out 























for (r = In; r <= Out; rtt) { 

Data[r] = 0; 

for (i = 0; i < nVars; itt) 
Eq[r] [i] = 0; 
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round) ; 


int VarNum( enum VarType var, 





int round, int col, int row ) 
{ 
switch (var) { 
case Key: 
if (round == 0) 
return ( col * nRows + row 
else // then col == 
return ( block + (round-1) 
case X: 
return ( nKeyVars + (round-1) 
} 
return ( 0 ); // dummy 


void AddVar( enum InOut line, 

















); 
* nRows + row 


i 


* block + col * nRows + row 


enum VarType var, 





int round, int col, int row, int scale ) 
{ 
ies Ors 
switch (var) { 
case Key: 
if (round == || col == 0) 
Eq[line][ VarNum( Key, round, col, row ) “= scale; 
else { 
AddVar( line, Key, round, col-1l, row, scale ); 
AddVar( line, Key, round-1, col, row, scale ); 
} 
break; 
case X: 
Eq[line][ VarNum( X, round, col, row ) ] *= scale; 
break; 
case State: // scale must be 1 
for (r = 0; xr < nRows; rtt) { 
AddVar( line, X, round, col, (rowtr)&(nRows-1), Mix[r] 
} 
AddVar( line, Key, round, col, row, 1 ); 
break; 
} 
} 
void KeyScheduleEqs (void) 
{ 
iE ip Te 
unsigned char rcon; 
for (i = 1, recon = 1; i <= nRounds; itt) { 
for (r = 0; r < nRows; rtt) { 
NewEq(); 
AddVar( Out, Key, i, 0, r, 1); 
if ( nCols > 1 ) AddVar( Out, Key, i-1, 0, xr, 1); 
AddVar( In, Key, i-1l, nCols-1, (r+1)&(nRows-1), 1); 
if ( r == ) Data[ Out ] = rcon; 
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i 


i 





WriteEq(); 
} 
recon = mul2(rcon); 


} 


// do only 1 round on block 





void doonlyroundEgs (int round) 


{ 

















Sv ey. 36% 
for (c = 0; c < nCols; c++) { 
for (r = 0; xr < nRows; rtt) { 
NewEq(); 
AddVar( Out, Key, round, c, r, 1); 
Data[ Out ] = CT[ r + nRows * c ]; 
AddVar( In, Key, round-1l, SR(c,r), r, 1); 
Data[ In ] = PT[ r + nRows * SR(c,r) ]; 
WriteEq(); 
} 
} 
} 
// do round #1 on block 
void doroundlEqs (int round) 
{ 
Lat 0p; 
for (c = 0; c < nCols; ctt) { 
for (r = 0; xr < nRows; rtt) { 
NewEq(); 
AddVar( Out, X, round, c, r, 1); 
AddVar( In, Key, round-1l, SR(c,r), r, 1); 
Data[ In ] = PT[ r + nRows * SR(c,r) ]; 





WriteEq(); 


} 


// do one round on block 
void doroundEgs (int round) 


{ 








Dae ©; °C: 
for (c = 0; c < nCols; ct+) { 
for (r = 0; r < nRows; rtt) { 
NewEq(); 
AddVar( Out, X, round, c, r, 1); 
AddVar( In, State, round-1, SR(c,r), Yr, 
WriteEq(); 





} 


// do round #n on block 


94 





void doroundnEqs (int round) 


{ 


ia. 15: Cs 


for (c = 0; c < nCols; ctt+) { 
for (r = 0; xr < nRows; rtt) { 





AddVar( Out, Key, round, c, r, 1); 

AddVar( In, State, round-1, SR(c,r), r, 1); 
Data[ Out ] = CT[ r + nRows * c ]; 
WriteEq(); 





= 


void EncryptEqs (void) 








int round; 


if ( nRounds == ef 
doonlyroundEgqs (1); 
return; 
} 
doroundlEqs (1); 
for (round = 2; round < nRounds; roundtt) { 
doroundEqs (round) ; 








} 
doroundnEgqgs (round) ; 





} 


int main(int argc, char *argv[]) 


{ 
unsigned char Key [MAXBLOCK] ; 


if (argc > 1) { 
sscanf(argv[1], "%1x%1d%1d%1d", 
&nRounds, &nRows, &nCols, &nBits); 
} 
fprintf(stderr, " nRounds=%d, nRows=%d, nCols=%d, nBits=%d, 
sbtar=%d\n", 
nRounds, nRows, nCols, nBits, star); 
if (setup()) 
fprintf(stderr, 
"Bad parameter(s); now:\n nRounds=%d, nRows=%d, nCols=%d, 
nBits=td, star=sd\n", 
nRounds, nRows, nCols, nBits, star); 
// by default KeyBits = bits in block 








ReadBlock( (argc > 2) ? argv[2] : "", PT); 
ReadBlock( (argc > 3) ? argv[3] : "", Key); 
if (argc > 4) 
if (freopen(argv[4], "w", stdout) != stdout) { 
fprintf(stderr, "Could not open output file %s\n", argv[4]); 
return 1; 
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KeySchedule (Key) ; 
encrypt (); 


WriteSystemHeader (); 
KeyScheduleEqs (); 

// do only single block 
EncryptEqs () ; 











WriteVars(); 


printf(" nRounds=%d, nRows=%d, nCols=%d, nBits=%d, 


nRounds, nRows, nCols, nBits, star); 
WriteKeys(); 
WriteStates(); 


return (0); 


B. MRHS algorithm 
Yas 


Mrs iC 
D;: Canright 2008 Aug 22 Fri. 13:58:27 
Interactive tool to solve MRHS equations 


input file format: 
header: 

NVAR # variables 

neq # equations (symbols) 
for each equation symbol: 

nlin # rows 

nrhs # RHS 


A (by rows, binary) 
b (by cols; banary) 
*/ 
#include "mrhs.h" // includes all others 





#include <ctype.h> 


int main(int argc, char *argv[]) 
{ 
ing i, a 
char input[101], *filename; 
char menu[] = { 
"Enter commands from the menu below.\n" 





" # means a number is required: use nondigit for default value 


haiity \n" 

uae linkSystem(S);\n" 

Ne agreeSystem(S);\n" 

"ea deLinkSystem(S);\n" 

"g # packSystem(S, #); (glue) \n" 
< extracthLinearinto (Ss) \n" 
"ww writeSystem(S);\n" 
i # EquationInfo(&S->E[#]);\n" 








Sstar=sa\n", 


(or for 





"Dp # printEquation(&S->E[#]);\n" 

"oe print LinEquation (S=>Slinbank, 0, S->linbank=>nlin) ; \n" 
Wie writeLinkTab(S, 36);\n" 

NG QUIT (exit) \n" 











ii. struct eqSymbol *tmpeq = (struct eqSymbol *) malloc(sizeof (struct 
eqSymbol)); 
struct system *S = (struct system *) malloc(sizeof (struct system 


); 
CHECKPTR(S); // test of macro 





/* 
read in header, set up sys, setup & read eqns 
link system 








agree 
glue 
ay, 
#if O 
1° = 0; 
CHECKPTR(i); // test of macro 
return (0); 
#endif 
if ( argc > 1) filename = argv[1]; 
else { 
fprintf( stderr, "Enter filename for input system: "); 
scanf("%100s", input); 
filename = input; 
} 
if ( readSystem(S, filename) ) { 








fprintf( stderr, "Error in main: did not get input system; abort!\n" 
i 
return (1 ); 
} 
printf ("got: NVAR = %d (NWORDS = %d); neq = %d\n", NVAR, NWORDS, S->neg 
\; 


printf (menu) ; 


while ( scanf("%S100s",input) == ) { 
switch (input[0]) { 

case 'a': 

case 'A': 


printf("** agreeSystem\n"); 
agreesystem(S); 








break; 

case 'e!': 

case 'E!': 

printLinEquation(S->linbank, 0, S->linbank->nlin); 
break; 

case 'd': 

case 'D!': 


printf ("** deLinkSystem\n"); 
deLinkSystem(S) ; 

break; 

case 'p!': 
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case 'P!: 
if ( input[1] ) i=1; 
else { scanf("%100s",input); i = 0; } 
if ( isdigit(input[i]) ) { 
sscanf( inputt+i, "Sd", &i ); 





if (i <0 || i >= S->neq ) {fprintf(stderr," bad eq #: %d\n",i); 


break; } 
printEquation(&S->E[i]); 
} 
else 
for(i=0; i<S->neg; ++i) printEquation(&S->E[i]); 
break; 
case 'i': 
case "I": 
if ( input[1] ) i=1; 
else { scanf("%100s",input); i = 0; } 
if ( isdigit(input[i]) ) { 
sscanf( inputt+i, "Sd", &i ); 




















if (i <0 || i >= S->neq ) {fprintf(stderr," bad eq #: %d\n",i); 


break; } 
EquationInfo(&S->E[i]); 
} 
else 
for(i=0; i<S->negq; ++i) EquationInfo(&S->E[i]); 
break; 














case “o's 

case 'G': 

if ( input[1] ) i=1; 

else { scanf("%100s",input); i = 0; } 


if ( isdigit (input[i]) ) 
sscanf( inputt+i, "Sd", &i ); 
else 








i = 1024; // arbitrarily picked a (small) max size of glued eqns 


printf("** packSystem (glue); max = %d\n", i); 
packSystem(S, i); 


break; 
case '1': 
case 'L': 


printf("** linkSystem\n") ; 
linkSystem(S); 

break; 

case 'q': 

case 'Q!': 

return 0; 

case 't!: 

case 'T!': 

writeLinkTab(S, 36); 
break; 

case ‘wl: 

case 'W!': 

writeSystem(S); 

break; 

case 'x!: 

case 'X!': 

printf("** extractLinearInfo\n"); 
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extractLinearInfo(S); 


break; 

default: 

printf (menu) ; 

break; 

} 

printf("now: neq = %d ; nlink = %d ; linbank = %d\n", 


S->neq, S->nlink, S->linbank->nlin ); 


} 


return (0); 
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